iptables blocking some ack fin packets
am 17.01.2008 21:49:52 von zebioHi all, hoping someone here can help me out as I can't seem to
understand what the issue is.
I have a server that runs a mail server on port 25, lets call it XXX.
Mail to this server is only allowed on port 25 from the mail scanning
server called ZZZ.
When the local server XXX sends the ACK FIN to acknowledge the client
sides request to terminate it works fine since I allow anything
outbound. The problem is when the remote side sends the ACK FIN it
passes all my iptables rules and gets rejected.
Jan 16 12:23:03 pop kernel: GOING OUT: in= OUT=eth0 SRC=XXX DST=ZZZ
LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51011 DF PROTO=TCP SPT=25
DPT=35322 WINDOW=5792 RES=0x00 ACK FIN URGP=0
Jan 16 12:23:07 pop kernel: COMING IN AND REJECTED: IN=eth0 OUT=
MAC=00:13:72:f7:d2:13:00:03:a0:0b:04:70:08:00 SRC=ZZZ DST=XXX LEN=52
TOS=0x00 PREC=0x00 TTL=60 ID=13994 DF PROTO=TCP SPT=60919 DPT=25
WINDOW=63 RES=0x00 ACK FIN URGP=0
Here are my firewall rules I'm hoping if anyone call tell me how I can
fix this or what I'm doing wrong.
/etc/sysconfig/iptables:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --dport 3410 -j DROP
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -p tcp --sport 10000 -j DROP
# accept anything established
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept anything new on 25
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -
j ACCEPT
-A RH-Firewall-1-INPUT -m limit --limit 15/minute -j LOG --log-level
warning --log-prefix " COMING IN AND REJECTED: "
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
Iptables -vL output
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
3154K 1566M RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain OUTPUT (policy ACCEPT 3357K packets, 2113M bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
307K 266M ACCEPT all -- lo any anywhere
anywhere
152 9069 ACCEPT icmp -- any any anywhere
anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any
anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any
anywhere anywhere
0 0 DROP tcp -- any any anywhere
anywhere tcp dpt:3410
30 1536 DROP tcp -- any any anywhere
anywhere tcp spt:10000
2617K 1289M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
28525 1709K ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:smtp
0 0 REJECT udp -- any any anywhere
anywhere udp dpt:netbios-ns reject-with icmp-port-
unreachable
0 0 REJECT udp -- any any anywhere
anywhere udp dpt:netbios-dgm reject-with icmp-port-
unreachable
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:ntp
0 0 REJECT udp -- any any anywhere
anywhere udp dpt:bootps reject-with icmp-port-unreachable
2800 171K LOG all -- any any anywhere
anywhere limit: avg 15/min burst 5 LOG level warning prefix
` COMING IN AND REJECTED: '
5201 317K REJECT all -- any any anywhere
anywhere reject-with icmp-port-unreachable
Thanks in advance, P