LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-20-2016, 01:55 PM   #1
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Rep: Reputation: 48
invalid flagged packets dropped


I have the following two rules in iptables:
Code:
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "INVFLAGS: "
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
This was achieving by using ! --syn -j DROP

I connected through ssh to the server that has these rules, and all of a sudden I saw in /var/log/messages Jan 20 20:42:56 hostname kernel: INVFLAGS: IN=eth0 OUT= MAC=de:51:b9:2f:f5:e5:00:19:56:29:3f:7f:08:00 SRC=MY.HOME.IP.ADDR. DST=X.X.X.X LEN=88 TOS=0x00 PREC=0x00 TTL=56 ID=29505 DF PROTO=TCP SPT=55520 DPT=22 WINDOW=4096 RES=0x00 ACK PSH URGP=0

So my computer was sending what one would consider packets with invalid flags. Why is this happening?

I'm also seeing the ACK PSH flags there, and I'm not sure how I should interpret them.

The thing is, my ssh connection works perfectly, so I'm not sure what is dropping and why this is happening.

Any thoughts? Thanks
 
Old 01-22-2016, 12:19 PM   #2
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 783
Blog Entries: 1

Rep: Reputation: 123Reputation: 123
You are aware that '!' means Not Equal to?
Without seeing your entire rule set it is hard to say why you are even allowed to connect.
 
Old 01-24-2016, 12:18 PM   #3
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by lazydog View Post
You are aware that '!' means Not Equal to?
Without seeing your entire rule set it is hard to say why you are even allowed to connect.
To be honest, I don't understand your question in this context. Does the rule not make sense to you with the ! negation? To me, this is just a "classical" rule that makes sure that new tcp connections start with a SYN flag, so making sure that the three-way handshake is done properly.

Anyway, these are the rules that allow for the ssh connection:

Code:
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m recent --set --name SSH --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --mask 255.255.255.255 --rsource -j DROP
 
Old 01-26-2016, 12:25 PM   #4
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 783
Blog Entries: 1

Rep: Reputation: 123Reputation: 123
Do you have a ESTABLISHED and RELATED rule at the top of your chains? Again we are back to the point that without knowing how your rules are setup it is a shot in the dark to tell you why one thing is working or not working as expected.
 
Old 01-26-2016, 02:48 PM   #5
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Quote:
Originally Posted by lazydog View Post
Do you have a ESTABLISHED and RELATED rule at the top of your chains? Again we are back to the point that without knowing how your rules are setup it is a shot in the dark to tell you why one thing is working or not working as expected.
Yes I do have that rule. Otherwise, the connection wouldn't have worked altogether. The thing is, I don't see anything wrong the ssh connection, except for those logs.
 
Old 01-27-2016, 12:56 PM   #6
lazydog
Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 783
Blog Entries: 1

Rep: Reputation: 123Reputation: 123
Is this the only logging rule you have?
 
Old 01-27-2016, 01:37 PM   #7
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Yes
 
Old 02-09-2016, 01:25 PM   #8
vincix
Member
 
Registered: Feb 2011
Distribution: Centos 6.7, 7
Posts: 514

Original Poster
Rep: Reputation: 48
Amazing help, as usual
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging DROPPED and INVALID packets Sleestak_vs_The_Gorn Linux - Security 2 10-19-2010 02:23 PM
Dropped packets Doolspin Linux - Software 1 10-22-2006 02:22 PM
too much dropped packets...Hi.. alaios Linux - Networking 2 02-10-2005 05:49 AM
tcpdump and dropped packets Blindsight Linux - Networking 5 07-14-2003 11:41 PM
dropped packets... sohmc Linux - Software 3 05-29-2003 10:26 AM


All times are GMT -5. The time now is 08:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration