LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-30-2004, 05:04 AM   #1
Roger Krowiak
Member
 
Registered: Oct 2004
Distribution: Slackware
Posts: 38

Rep: Reputation: 18
invalid packets in output


Hi,

I've setup my firewall using iptables and make some logging. In the log I've found some outgoing packets which were in state INVALID. When this happened firewall was running and I was browsing web and downloading some files (from web or FTP). So my question is, how it is possible to have invalid outgoing packet? Is there something wrong with settings of iptables? Here is the script starting iptables (I've removed my IP address)

Code:
#!/bin/sh
#
# /etc/rc.d/rc.iptables
#


###--->>>start iptables<<<---###
start () {
echo "Starting firewall."

#zopar aliasov
MOJA_IP='THIS.IS.MY.IP'

#clean all
/usr/sbin/iptables -F
/usr/sbin/iptables -Z
/usr/sbin/iptables -X

/sbin/modprobe ip_conntrack_ftp

###--->>>create DROP_FORBIDEN_ADDRESS<<<---###
iptables -N DROP_FORBIDEN_ADDRESS
iptables -F DROP_FORBIDEN_ADDRESS
iptables -A DROP_FORBIDEN_ADDRESS -j ULOG --ulog-prefix "DROP LOCAL ADDRESS ON eth0"
iptables -A DROP_FORBIDEN_ADDRESS -j DROP
###--->>>create DROP_FORBIDEN_ADDRESS<<<---###

###--->>>DROP INVALID<<<---###
iptables -A INPUT -m state --state INVALID -j ULOG --ulog-prefix "DROP INVALID INPUT"
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j ULOG --ulog-prefix "DROP INVALID OUTPUT"
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j ULOG --ulog-prefix "DROP INVALID FORWARD"
iptables -A FORWARD -m state --state INVALID -j DROP
###--->>>DROP INVALID<<<---###

###--->>>LOCAL ADDRESS SHOULD NEVER COME THRU eth0<<<---###
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 5.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 23.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 27.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 31.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 36.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 39.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 41.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP_FORBIDEN_ADDRESS
iptables -A INPUT -i eth0 -s 197.0.0.0/8 -j DROP_FORBIDEN_ADDRESS
###--->>>LOCAL ADDRESS SHOULD NEVER COME THRU eth0<<<---###

###--->>>DNS<<<---###
iptables -A INPUT -p udp -i eht0 -s 195.34.133.10 -d $MOJA_IP --destination-port 53 -j ACCEPT
iptables -A INPUT -p udp -i eht0 -s 195.34.133.11 -d $MOJA_IP --destination-port 53 -j ACCEPT
iptables -A INPUT -p udp -i eht0 -s 212.83.64.138 -d $MOJA_IP --destination-port 53 -j ACCEPT
###--->>>DNS<<<---###

###--->>>LOCALtoLOCALL<<<---###
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
###--->>>LOCAL2LOCALL<<<---###

#allow access for some.address.sk
iptables -A INPUT -p tcp -i eth0 -s some.address.sk -d $MOJA_IP --destination-port 443 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -s otherone.address.sk -d $MOJA_IP --destination-port 443 -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -s some.address.sk -d $MOJA_IP --icmp-type echo-request -j ACCEPT

#allow access for established connections
iptables -A INPUT -p tcp -i eth0 -d $MOJA_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -i eth0 -d $MOJA_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -i eth0 -s some.adress.sk -d $MOJA_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -j ULOG --ulog-prefix "DROP INPUT"
iptables -A INPUT -j DROP

###--->>>DROP FORWARD<<<---###
iptables -A FORWARD -j ULOG --ulog-prefix "DROP FORWARD"
iptables -A FORWARD -j DROP
}
###--->>>start iptables<<<---###
###--->>>stop iptables<<<---###
stop () {

echo "Stopping firewall."
/usr/sbin/iptables -F
/usr/sbin/iptables -Z
/usr/sbin/iptables -X
}
###--->>>stop iptables<<<---###


###--->>>restart iptables<<<---###
restart () {
stop
start
}
###--->>>restart iptables<<<---###


# See how we were called.
case "$1" in
        start)
                        start
                ;;
        restart)
                        restart
                ;;
        stop)
                        stop
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart}"
                exit 1
esac

exit $?
thank you for your answers.
 
Old 11-30-2004, 05:49 PM   #2
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Can you post the log message of some of the packets? I rarely play with the OUTPUT chain.
 
Old 12-01-2004, 01:23 AM   #3
Roger Krowiak
Member
 
Registered: Oct 2004
Distribution: Slackware
Posts: 38

Original Poster
Rep: Reputation: 18
This is what I've found in my logs. I hope it will helps.

Code:
Nov 29 19:50:19 nee DROP INVALID OUTPUT IN= OUT=eth0 MAC= SRC=this.is.my.address DST=65.216.123.145 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=14373 DF PROTO=TCP SPT=33112 DPT=80 SEQ=1735748964 ACK=1400800421 WINDOW=2810 ACK FIN URGP=0 
Nov 29 19:50:28 nee DROP INVALID OUTPUT IN= OUT=eth0 MAC= SRC=this.is.my.address DST=65.216.123.145 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=48566 CE DF PROTO=TCP SPT=33113 DPT=80 SEQ=1741811662 ACK=1402130021 WINDOW=16022 ACK FIN URGP=0 
Nov 29 19:51:24 nee DROP INVALID OUTPUT IN= OUT=eth0 MAC= SRC=this.is.my.address DST=65.216.123.145 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=14375 DF PROTO=TCP SPT=33112 DPT=80 SEQ=1735748964 ACK=1400800421 WINDOW=2810 ACK FIN URGP=0 
Nov 29 19:51:43 nee DROP INVALID OUTPUT IN= OUT=eth0 MAC= SRC=this.is.my.address DST=65.216.123.145 LEN=52 TOS=00 PREC=0x00 TTL=64 ID=48568 CE DF PROTO=TCP SPT=33113 DPT=80 SEQ=1741811662 ACK=1402130021 WINDOW=16022 ACK FIN URGP=0
 
Old 12-01-2004, 02:43 AM   #4
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
I don't see anything immediately wrong with this packet. If anyone else does, please pipe up. It appears to be a FIN,ACK packet which is part of the normal tear down of the tcp connection.

If you can reproduce this, then you might try look at /proc/net/ip_conntrack and netstat. i.e, less than a minute later do a:
grep foreign.ip.address.22 /proc/net/ip_conntrack
netstat -n|grep foreign.ip.address.22

and compare the states (TIME_WAIT, FIN_WAIT_1,ESTABLISHED)

So, I don't know why you are seeing this and am not a expert to be able to wave my hand and give you a quick explaination.

Hope this helps,
chris
 
Old 12-01-2004, 03:19 AM   #5
Roger Krowiak
Member
 
Registered: Oct 2004
Distribution: Slackware
Posts: 38

Original Poster
Rep: Reputation: 18
Thank you very much for your hints, I will try it. If I will find something new or find reason for this, I will write it here.
 
Old 01-29-2005, 02:54 AM   #6
LinuxJorgen
LQ Newbie
 
Registered: Oct 2002
Location: The Netherlands
Distribution: Centos
Posts: 4

Rep: Reputation: 0
Angry invalid input as well...

Hi

I've got similar problems, but on the input chain


$IPTABLES -A local_in -m state --state INVALID -j log_invalid


This rule occasionally kicks out packages as 'INVALID' when I copy large files to samba from a windoze machine.
This results in 'delayed writes' and lost data in windoze.

I removed the IPTABLES statement above, and all appears to be fine when I copy

Problems started when I upgraded my Slack 10 kernel from 2.4.26 to 2.6.10.
Before everything (eehhh. at least this) was fine.

I read some fora on the internet. There appears to be relations between the use of IPSec/VPN and dropping packets.
Unfortunately I do not have any experience with VPN/IPsec under Linux
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squirremail ...it says invalid user or invalid password. rnj Fedora 9 10-25-2004 10:56 PM
packets sent VS packets received fsasya Linux - Networking 0 07-18-2004 08:11 PM
encapsulating TCP packets in UDP packets... yoshi95 Programming 3 06-03-2004 03:53 PM
Via AC'97 5.1 Optical Output or Audigy 4.1 Output Nza Fedora 3 06-01-2004 08:49 AM
the sound gives output when using mic but no output when run a music file medo Debian 0 04-19-2004 08:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration