I have an Ubuntu 12.04 server that I'm currently using as a gateway / router for a few LAN devices (WAN is a mobile BB dongle that presents itself as an ethernet adapter - eth1 in the below).
eth0 - 192.168.1.67 (LAN)
eth1 - 192.168.9.100 (WAN BB dongle)
Some websites seem to send a RST flagged packet after a while of inactivity. Not a problem in itself but I suspect because either the client machine or the server has already dropped the connection it hits the end of my iptables input chain and gets logged. I'd like to stop this logging of RST packets as it is forever waking the hard drive from its sleep state.
I'm no iptables expert by a very long mile, have tried to figure it out using man iptables but I just seem to keep making amendments to my saved iptables config that prevent it from loading at all. So any help or advice would be gratefully received.
Example of offending log entry:
Code:
May 6 02:48:25 ubuserver kernel: [ 666.963777] NETFILT End of IN chain: IN=eth1 OUT= MAC=58:2c:80:13:92:63:58:2c:80:13:92:08:08:00 SRC=173.194.41.175 DST=192.168.9.100 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=45620 PROTO=TCP SPT=443 DPT=58346 WINDOW=0 RES=0x00 RST URGP=0
^^ That's google sending a RST after doing a search.
iptables -S:
Code:
crypto@ubuserver:~$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "NETFILT I New not syn: " --log-level 7
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.68/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.67/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.66/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.65/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.64/32 -i eth0 -j ACCEPT
-A INPUT -j LOG --log-prefix "NETFILT End of IN chain: " --log-level 7
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "NETFILT F New not syn: " --log-level 7
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A FORWARD -s 192.168.1.68/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.1.66/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.1.65/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.1.64/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "NETFILT End of FWD chain: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
/etc/iptables.sav that gets loaded at boot time:
Code:
crypto@ubuserver:~$ cat /etc/iptables.sav
# Generated by iptables-save v1.4.12 on Sat Dec 7 16:16:03 2013
*security
:INPUT ACCEPT [23135:1917052]
:FORWARD ACCEPT [94101:75161757]
:OUTPUT ACCEPT [34444:34170997]
COMMIT
# Completed on Sat Dec 7 16:16:03 2013
# Generated by iptables-save v1.4.12 on Sat Dec 7 16:16:03 2013
*raw
:PREROUTING ACCEPT [117705:77230082]
:OUTPUT ACCEPT [34444:34170997]
COMMIT
# Completed on Sat Dec 7 16:16:03 2013
# Generated by iptables-save v1.4.12 on Sat Dec 7 16:16:03 2013
*mangle
:PREROUTING ACCEPT [117706:77230134]
:INPUT ACCEPT [23162:1923868]
:FORWARD ACCEPT [94159:75165241]
:OUTPUT ACCEPT [34444:34170997]
:POSTROUTING ACCEPT [128546:109332806]
COMMIT
# Completed on Sat Dec 7 16:16:03 2013
# Generated by iptables-save v1.4.12 on Sat Dec 7 16:16:03 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "NETFILT I New not syn: " --log-level 7
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.68/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.67/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.66/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.65/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.64/32 -i eth0 -j ACCEPT
-A INPUT -j LOG --log-prefix "NETFILT End of IN chain: " --log-level 7
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "NETFILT F New not syn: " --log-level 7
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A FORWARD -s 192.168.1.68/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.1.66/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.1.65/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -s 192.168.1.64/32 -i eth0 -o eth1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "NETFILT End of FWD chain: " --log-level 7
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Sat Dec 7 16:16:03 2013
# Generated by iptables-save v1.4.12 on Sat Dec 7 16:16:03 2013
*nat
:PREROUTING ACCEPT [1441:269589]
:INPUT ACCEPT [499:89156]
:OUTPUT ACCEPT [1213:88181]
:POSTROUTING ACCEPT [67:5034]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Sat Dec 7 16:16:03 2013
Any thoughts how to stop the seemingly belated RST packets from getting logged?
Thanks in advance
Bookmarks