Interesting iptables incoming packet drops

[Azrael84]

Hi, I've attached my iptables rules script as a .txt attachment for reference, but they are fairly standard rules that I've patched together from various online sources. Things seem to be working pretty well, but I am confused about some of the log entries in `/var/log/kern.log'. I'm not quite sure what these incoming connections are, or ineed, why they are being dropped. As an example:

Code:

 Jul  6 16:18:29 mylappy kernel: [29424.535475] IPTables IN Packet Dropped: IN=eth1 OUT= MAC=c4:17:fe:65:51:f8:00:26:44:59:a6:10:08:00 SRC=67.215.67.15 DST=192.168.1.79 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=4134 DF PROTO=TCP SPT=80 DPT=48812 WINDOW=8326 RES=0x00 ACK RST URGP=0

Similarly other websites with SPT=80 that continually crop up: (showing SRC,DST,PROTO, SPT,DPT only)

Code:

     SRC=67.215.67.31 DST=192.168.1.79 PROTO=TCP SPT=80 DPT=55202   ( OPENDNS-NET-3)      SRC=173.194.34.183 DST=192.168.1.79 PROTO=TCP SPT=80 DPT=40869 (GOOGLE)      SRC=173.194.34.191 DST=192.168.1.79  PROTO=TCP SPT=80 DPT=50716 (GOOGLE)     SRC=74.125.136.16 DST=192.168.1.79  PROTO=TCP SPT=993 DPT=57026  (Google Inc) 993 is #GMAIL IMAP SSL, which I have allowed outboad...but surely conntrack should be allowing the inbound?     SRC=192.168.1.254 DST=192.168.1.79 PROTO=TCP SPT=80 DPT=43065  (ROUTER)     SRC=31.13.72.33 DST=192.168.1.79  PROTO=TCP SPT=443 DPT=59306 (??)     SRC=78.129.223.36 DST=192.168.1.79  PROTO=TCP SPT=80 DPT=37455  (Iomart Hosting Ltd)     SRC=69.171.248.16 DST=192.168.1.79  PROTO=TCP SPT=443 DPT=51225 ( Facebook, Inc.)     SRC=23.48.157.195 DST=192.168.1.79 PROTO=TCP SPT=443 DPT=58934 (AKAMAI)     SRC=213.248.117.9 DST=192.168.1.79  PROTO=TCP SPT=443 DPT=38040 ( Akamai International B.V.)     SRC=46.33.76.9 DST=192.168.1.79  PROTO=TCP SPT=443 DPT=38443  (AKAMAI-TINET)     SRC=206.19.49.183 DST=192.168.1.79  PROTO=TCP SPT=80 DPT=55513  (CERFnet CERFNET-BLK-206 )     SRC=190.93.246.58 DST=192.168.1.79  PROTO=TCP SPT=80 DPT=52007 (CloudFlare ?? http://en.wikipedia.org/wiki/CloudFlare)     SRC=54.230.9.150 DST=192.168.1.79 PROTO=TCP SPT=80 DPT=58305 (Amazon Technologies Inc)

Yet, I get no visible problems accessing these websites. 1) Why are these websites connecting to me at all? (I gather SPT=80, DRT=55202 means they are trying to connect to me on 55202 and the packet originated out of the servers port 80?) 1b) If the connections are related to my established outgoing connections to them, why aren't my conntrack rules letting them through? 2) Should I make a rule to allow such connections? 2b) If so, Would adding a rule like iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT help, or is this really to allow me to function as a webserver and host documents on 80? Therefore not what I need... Sorry about the long post, any help would be greatly appreciated Thanks.