[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New not syn: IN =OUT=eth1

Vladimir Zolotykh wrote:

Hi

I'm new both to this mailing list and firewalls.

I set up a simple firewall and SNAT using iptables. All works fine
except that sometimes I see the following in the /var/log/syslog

  Mar 30 08:54:23 dobby kernel: New not syn:IN= OUT=eth1 SRC=314.12.142.106 \
    DST=314.12.128.3 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=60918 DF PROTO=TCP \
SPT=32804 DPT=119 WINDOW=31856 RES=0x00 ACK PSH FIN URGP=0 
Could you please tell me what might be the probable reason for these
messages? The actual rule that produces them is
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ 
    --log-prefix "New not syn:"
  iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

where

  iptables -N bad_tcp_packets
  iptables -A INPUT -p tcp -j bad_tcp_packets
  iptables -A FORWARD -p tcp -j bad_tcp_packets
  iptables -A OUTPUT -p tcp -j bad_tcp_packets

The mentioned above errors appear when I get news using email client
Sylpheed on the machine where iptables command are executed e.g press
Get all button in the email client. What I specially would like to be
told of is:

  1) Could the mistake in the firewall settings be the likely reason
     for this error messages or not?

  2) What does IN= OUT=eth1 mean ? I'd think it should be IN or OUT
     not both at the same time.

Thanks in advance



Vladimir,
"IN=" indicates the interface a packet came in on, "OUT=" indicates the interface a packet went out on. "IN= OUT=eth1" means that it is a packet originating from your machine and going out on the eth1 interface. There is no value for "IN=" because the packet didn't come in on any interface. 

I hope this helps.

    - Dave

--

Dave Parker
Utica College Department of
Integrated Information Technology Services
Data Processing Office
(315) 792-3229
Registered Linux User #408177
Reply to: