Beginning this year, I have started using Iptables for firewalls. Once I learnt the basics, I have had no issues with setting up connections such as ssh, ftp, websites etc and blocking all other traffic.
Where I seem to be consistently floundering (on several firewall systems) is where I am seeing a lot of dropped connections for established or related traffic for specific ports. Most ports - no issues. The problem seems to be services such as activesync or a remote support agent where there is a 24/7 constant connection.
For example on my Mail Server system, I see a lot of the following dropped connections:
Source Port 443 ACK, PSH, URGP=0 dropped. The Source IP is the mail server and it is obviously trying to send back something back to the client - which I have determined is an activesync client.
I have the following rules in place in the order shown. I drop all traffic by default. I allow all established and related traffic by default. I allow all incoming traffic from port 443 to be redirected to mail server which is behind firewall. I allow all outgoing port 443 from mail server. I also drop any invalid packets. Finally, I am only logging dropped traffic.
Code:
# Policy Rules
# Ipv4 traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Established and Related Rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TCP Port 443 Internet Access from Internal Lan and Mail Server
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to IP Mail server
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
# Invalid Packets
iptables -A INPUT -p ALL -m state --state INVALID -j DROP
iptables -A OUTPUT -p ALL -m state --state INVALID -j DROP
iptables -A FORWARD -p ALL -m state --state INVALID -j DROP
# Logging
# Log IPv4 Dropped Traffic
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
Question 1:
Is the handshake process (for Activesync):
1. Ipad connects to the mail server with Syn
2. Mail Server responds to Ipad with ACK
3. Ipad finishes up with a Fin command
4. Mail server responds to Ipad with ACK, PSH and it's failing because Ipad has already done a Fin command? I am guessing the Server is trying to close the connection which the Ipad has already closed?
Question 2:
I have set the firewall to drop invalid packets. So if the connection has been closed (which I assume is the case), why am I still seeing dropped connections for ACK, PSH traffic?
Question 3:
Is ACK, PSH part of Established or part of Related traffic? I am wondering if maybe I need to enable something in Linux for Related Traffic because one of the articles I read said something about loading a module for that? I have no issues with websites which I presume is Established Traffic. I only seem to have problems with programs running on Servers or Activesync where there is a constant 24 hour connection as it were.
Question 4:
How do I find out what is causing this? It doesn't look like a timeout issue as Established timeout is 5 days according to my sysctl setting. I want to preferably fix the underlying cause of why these ACK, PSH connections are being dropped. If this is normal and expected behaviour, then just to get these dropped connections out of my log file. I don't know if what I am seeing is normal, or if there is a problem somewhere. With my mail server for example, I am only seeing the problem with source port 443 from the mail server to the activesync client. Everything else is working as expected.
I have used the example of my mail server, but other networks with a firewall in place, I am seeing the same problem, with a lot of established/related traffic being dropped. Again I assume that the underlying cause is the established connection has been closed by one side or another and the other side is still sending traffic on that established connection? Again it always seems to be services that are running like Datto. It doesn't seem to be like website traffic.