iptables dropping some ssh packages

lbjamison
lbjamison used Ask the Experts™
on
Hello,

I have iptables setup (on a CentOS 3.x server) to allow ssh both in and out of the server.  It seems to be working fine, but in /var/log/messages, I can see that many ssh packages are still dropped.  Before installing the iptables in production, I would like to find out why those ssh packages are dropped and preferably how to fix it.

Here are the rules & chains (with unrelated protocols stripped out), followed by a sample of the log entries:


--- Rules:
      # Incoming rules:
      iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
      
      iptables -A INPUT -j LOGDROP
      
      # Outgoing rules:
      iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
      
      iptables -A OUTPUT -j LOGDROP


--- Chains:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 2799  319K ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED
   45  4320 ACCEPT     all  --  lo     any     anywhere             anywhere          
   21  1300 ACCEPT     tcp  --  any    any     anywhere             anywhere           state NEW tcp dpt:ssh
 1953  277K LOGDROP    all  --  any    any     anywhere             anywhere          

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 3088  750K ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED
   45  4320 ACCEPT     all  --  any    lo      anywhere             anywhere          
    1    60 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:ssh state NEW
   67  9040 LOGDROP    all  --  any    any     anywhere             anywhere          

Chain LOGDROP (2 references)
 pkts bytes target     prot opt in     out     source               destination        
 1207 72737 LOG        tcp  --  any    any     anywhere             anywhere           limit: avg 2/sec burst 10 LOG level warning prefix `TCP LOGDROP: '
  813  214K LOG        udp  --  any    any     anywhere             anywhere           limit: avg 2/sec burst 10 LOG level warning prefix `UDP LOGDROP: '
    0     0 LOG        icmp --  any    any     anywhere             anywhere           limit: avg 2/sec burst 10 LOG level warning prefix `ICMP LOGDROP: '
    0     0 LOG        all  -f  any    any     anywhere             anywhere           limit: avg 2/sec burst 10 LOG level warning prefix `FRAGMENT LOGDROP: '
 2020  286K DROP       all  --  any    any     anywhere             anywhere          


--- Log entries:
Oct 15 20:00:18 ff-lin4 kernel: TCP LOGDROP: IN= OUT=eth0 SRC=10.1.1.31 DST=10.1.1.21 LEN=116 TOS=0x10 PREC=0x00 TTL=64 ID=34002 DF PROTO=TCP SPT=22 DPT=47518 WINDOW=10880 RES=0x00 ACK PSH URGP=0
Oct 15 20:00:18 ff-lin4 kernel: TCP LOGDROP: IN= OUT=eth0 SRC=10.1.1.31 DST=10.1.1.21 LEN=116 TOS=0x10 PREC=0x00 TTL=64 ID=34003 DF PROTO=TCP SPT=22 DPT=47518 WINDOW=10880 RES=0x00 ACK PSH URGP=0
Oct 15 20:00:19 ff-lin4 kernel: TCP LOGDROP: IN= OUT=eth0 SRC=10.1.1.31 DST=10.1.1.21 LEN=116 TOS=0x10 PREC=0x00 TTL=64 ID=34004 DF PROTO=TCP SPT=22 DPT=47518 WINDOW=10880 RES=0x00 ACK PSH URGP=0
Oct 15 20:00:20 ff-lin4 kernel: TCP LOGDROP: IN= OUT=eth0 SRC=10.1.1.31 DST=10.1.1.21 LEN=116 TOS=0x10 PREC=0x00 TTL=64 ID=34005 DF PROTO=TCP SPT=22 DPT=47518 WINDOW=10880 RES=0x00 ACK PSH URGP=0

Any help on this much appreciated.

Thanks,
lbj
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Its dropping outgoning SSH that comes from local port 22, so you may add:

      iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW -j ACCEPT

It can also be another service that is using local port 22 to connect to outside.

Good luck!
Thanks for the reply.  Come to think of it, ssh would never have a source port of 22 unless it is an already established session.  But since the SSH server daemon is running on that box, I also don't see how anything else could use that port number.  

So I looked again at the log files, and there are no more entries since last night (there were a bunch of log entries right after I activated iptables, but then it stopped).  So it was probably just some packages that belonged to an already established ssh session (before I started iptables), so iptable's connection tracking did not see them as established and thus dropped them.  Ssh seems to be handled correctly without adding another rule.



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial