Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

odd incoming packets



dsr wrote:
>On Fri, Sep 12, 2003 at 09:40:27PM -0400, James R. Van Zandt wrote:
>> I'd like to understand these entries in my syslog:
>> 
>> vanzandt:/var/log# grep Drop syslog|tail -6
>> Sep 12 20:19:14 vanzandt kernel: Dropping packet: IN=eth0 OUT=
>> MAC=00:50:ba:48:13:d8:00:06:25:dc:ad:a9:08:00 SRC=204.127.204.8
>> DST=192.168.1.102 LEN=78 TOS=0x00 PREC=0x00 TTL=242 ID=55166 DF
>> PROTO=UDP SPT=53 DPT=56639 LEN=58
>
>A UDP packet sent from port 53 to a random port on your system would be
>a DNS reply.
>
>> ...how are those packets getting through my router?
>
>The magic of NAT. Remember that UDP is not session oriented, and so a
>non-stateful packet filter has to let it in if it looks legit.


Okay, then why is my firewall complaining?  I'm using iptables, as
follows:

  ## Create chain which blocks new connections unless coming from inside.
  /sbin/iptables -N block
  /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
  /sbin/iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
  ## drop IDENT requests silently
  /sbin/iptables -A block -i eth0 -m state --state NEW \
  	  -p tcp --destination-port 113 -j DROP
  ## permit SSH connections
  /sbin/iptables -A block -i eth0 -m state --state NEW \
          -p tcp --destination-port 22 -j ACCEPT
  ## log any other bad packets
  /sbin/iptables -A block -i eth0 -m limit -j LOG \
  	  --log-level warning --log-prefix "Dropping packet: "
  /sbin/iptables -A block -j DROP
  ## Jump to that chain from INPUT and FORWARD chains.
  /sbin/iptables -A INPUT -j block
  /sbin/iptables -A FORWARD -j block

As I understand it, the "RELATED" keyword is supposed to set up a
stateful packet filter, so I would expect DNS replies to be accepted
just like ftp data transfers.  In fact, DNS queries are working fine,
and at least some of the time they don't generate warnings:

  vanzandt:~ $ nslookup www.debian.org
  Server:  ns13.attbi.com
  Address:  204.127.204.8
  
  Non-authoritative answer:
  Name:    www.debian.org
  Address:  192.25.206.10
  
I'm using a 2.4.22 kernel.  In ip_conntrack_proto_udp.c, I see

  #define UDP_TIMEOUT (30*HZ)
  #define UDP_STREAM_TIMEOUT (180*HZ)

Maybe if the reply takes more than 30 sec (or 180 sec), the filter no
longer thinks it's "related"?

And the router's packet filter isn't stateful, so it allows anything
with a source port of 53?  Or maybe it just has a longer timeout?

	      - Jim Van Zandt




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org