ESTABILISHED connections are not that estabilished
rob0 at gmx.co.uk
Thu Jul 28 12:41:44 CEST 2005
Gioele Barabucci wrote:
>>In my logs I often find reports of dropped input packets from my DNS:53 or
>>dropped output packets generated from localhost:25 to other mail servers.
>>Why are these packets dropped?
I have a theory and a suggestion.
> iptables -P OUTPUT DROP
Bad idea (see below.)
> iptables -P FORWARD DROP # just for fun, I don't do any routing
Good idea. Even if not routing it doesn't hurt to take these out at the
> iptables -A OUTPUT -p udp --dport nameserver -j ACCEPT
> iptables -A OUTPUT -p tcp --dport nameserver -j ACCEPT
# iptables -vA OUTPUT -p tcp --dport nameserver
tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:42
# iptables -vA OUTPUT -p tcp --dport domain
tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:53
I cannot see into your /etc/services, but mine resolves "nameserver" to
"42". (R.I.P., D. Adams.)
> echo "Logging"
> iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG
> --log-level "debug" --log-ip-options --log-tcp-options --log-prefix
> 'iptables INPUT DROP '
> iptables -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j
> ULOG --ulog-prefix 'iptables INPUT DROP '
> iptables -A OUTPUT -m limit --limit 3/second --limit-burst 5 -o ! lo -j
> LOG --log-level "debug" --log-ip-options --log-tcp-options --log-prefix
> 'iptables OUTPUT DROP '
Whoa, that is a lot of logging! What do you expect to find in all that?
Why LOG and ULOG both?
> echo "REJECT for outgoing packets"
> iptables -A OUTPUT -j REJECT # reject, don't DROP outgoing packets
It's cleaner to limit this to "-p tcp".
Suggestion: OUTPUT filtering is a bad idea. Carefully crafted rules to
limit what your daemons can do with -m owner might slightly enhance
security. General OUTPUT filtering only guarantees that things won't
Why are you doing it? What is the benefit you think you are getting?
This sounds like a single user machine, from the fact that there's no
routing. Who are you limiting with OUTPUT rules? Yourself?
I would do OUTPUT -p ACCEPT and eliminate the OUTPUT rules. I'd also do
away with the logging, or at least tightly curtail it. I usually only
log for specific short-term reasons (troubleshooting a problem.) I'd
include a "-m state --state INVALID -j DROP" rule for good measure.
Finally, I'd move your --state rules to the top.
At that point everything would be working as you expect, and you would
have a very tight firewall.
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter