iptables drops some packets on port 80 and i don't know the cause.
Posted
by Janning
on Server Fault
See other posts from Server Fault
or by Janning
Published on 2010-02-05T14:35:09Z
Indexed on
2010/05/28
16:03 UTC
Read the original article
Hit count: 242
iptables
Hi,
We are running a firewall with iptables on our Debian Lenny system. I show you only the relevant entries of our firewall.
Chain INPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
target prot opt in out source destination
ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Some packets get dropped each day with log messages like this:
Feb 5 15:11:02 host1 kernel: [104332.409003] dropped IN= OUT=eth0 SRC= DST= LEN=1420 TOS=0x00 PREC=0x00 TTL=64 ID=18576 DF PROTO=TCP SPT=80 DPT=59327 WINDOW=54 RES=0x00 ACK URGP=0
for privacy reasons I replaced IP Addresses with and
This is no reason for any concern, but I just want to understand what's happening. The web server tries to send a packet to the client, but the firewall somehow came to the conclusion that this packet is "UNRELATED" to any prior traffic.
I have set a kernel parameter ip_conntrack_ma to a high enough value to be sure to get all connections tracked by iptables state module:
sysctl -w net.ipv4.netfilter.ip_conntrack_max=524288
What's funny about that is I get one connection drop every 20 minutes:
06:34:54 droppedIN=
06:52:10 droppedIN=
07:10:48 droppedIN=
07:30:55 droppedIN=
07:51:29 droppedIN=
08:10:47 droppedIN=
08:31:00 droppedIN=
08:50:52 droppedIN=
09:10:50 droppedIN=
09:30:52 droppedIN=
09:50:49 droppedIN=
10:11:00 droppedIN=
10:30:50 droppedIN=
10:50:56 droppedIN=
11:10:53 droppedIN=
11:31:00 droppedIN=
11:50:49 droppedIN=
12:10:49 droppedIN=
12:30:50 droppedIN=
12:50:51 droppedIN=
13:10:49 droppedIN=
13:30:57 droppedIN=
13:51:01 droppedIN=
14:11:12 droppedIN=
14:31:32 droppedIN=
14:50:59 droppedIN=
15:11:02 droppedIN=
That's from today, but on other days it looks like this, too (sometimes the rate varies).
What might be the reason?
Any help is greatly appreciated. kind regards Janning
© Server Fault or respective owner