[squid-users] Packets logged as blocked even Firewall (IPtables) accepts them ...

Antony Stone Antony.Stone at squid.open.source.it
Wed Jul 19 09:53:46 UTC 2017 

On Wednesday 19 July 2017 at 10:40:36, Walter H. wrote:

> On Wed, July 19, 2017 11:31, Antony Stone wrote:
> > On Wednesday 19 July 2017 at 10:16:30, Walter H. wrote:
> >> I added these rules, and will see which packets are caught
> >> 
> >> -A INPUT -m state --state INVALID -j LOG --log-prefix "IP[IN(invalid)]:
> >> " --log-level 7
> >> -A FORWARD -m state --state INVALID -j LOG --log-prefix
> >> "IP[FWD(invalid)]: " --log-level 7
> >> -A OUTPUT -m state --state INVALID -j LOG --log-prefix
> >> "IP[OUT(invalid)]: " --log-level 7
> >> 
> >> and not by these after:
> >> 
> >> -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level 7
> >> -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level 7
> >> -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level 7
> > 
> > Note that any packets caught by the first rules will *also* be caught by
> > the second rules (since there is no DROP in between, and the second rule
> > does not exclude INVALID),
> 
> how would I exclude INVALID in the second rules?

If you really want to:

-A INPUT -m state ! --state INVALID -j LOG  --log-prefix....

Depending on how you enter this rule, you may need to shell-escape the ! so 
that it doesn't get interpreted by bash etc.

The alternative (IMHO uglier) way of doing it would be:

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix....


Quoting from the iptables man page:

"   state
       This module, when combined with connection tracking, allows access to 
the connection tracking state for this packet.

       [!] --state state
              Where state is a comma separated list of the connection states 
to match.  Possible states are INVALID meaning that the packet could not be 
identified for some reason which includes running out of memory and ICMP errors 
which don't correspond to any known connection, ESTABLISHED meaning that the 
packet is associated  with  a  connection which  has  seen packets in both 
directions, NEW meaning that the packet has started a new connection, or 
otherwise associated with a connection which has not seen packets in both 
directions, and RELATED meaning that the packet is starting a new connection, 
but is associated with an existing connection, such as an FTP data transfer, 
or an ICMP error.  UNTRACKED meaning that the packet is not tracked at all, 
which happens if you use the NOTRACK target in raw table."


Antony.

-- 
This email was created using 100% recycled electrons.

                                                   Please reply to the list;
                                                         please *don't* CC me.

More information about the squid-users mailing list