Honeypots mailing list archives

iptables OUTBOUND TCP:

From: "Ensz, Sean A." <ensz () ou edu>
Date: Wed, 12 Jan 2005 11:59:49 -0600
Does anyone have an explanation why honeywall logs TCP packets with the
ACK SYN bits set as outbound connections? This is obviously the second
part of the 3-way TCP handshake, but I don't know why iptables thinks it
is a new connection and therefore triggering the OUTBOUND TCP log rule.
The only thing I could come up with is that iptables is only looking at
the SYN bit and not checking if any other bits are set. Any insight
would be most appreciated. 


Here are the iptables excerpts and tcpdump info:


Jan 12 11:08:09 honeywall kernel: INBOUND TCP: IN=br0 OUT=br0
PHYSIN=eth0 PHYSOUT=eth1 SRC=195.14.x.x DST=192.168.246.105 LEN=52
TOS=0x00 PREC=0x00 TTL=104 ID=30217 DF PROTO=TCP SPT=3034 DPT=4899
WINDOW=32767 RES=0x00 SYN URGP=0

Jan 12 11:08:30 honeywall kernel: OUTBOUND TCP: IN=br0 OUT=br0
PHYSIN=eth1 PHYSOUT=eth0 SRC=192.168.246.105 DST=195.14.x.x LEN=44
TOS=0x00 PREC=0x00 TTL=64 ID=20353 PROTO=TCP SPT=4899 DPT=3034
WINDOW=16000 RES=0x00 ACK SYN URGP=0


tcpdump -r pcap.20050112.1105488301 -nn -v host 195.14.x.x and port 3034
reading from file pcap.20050112.1105488301, link-type EN10MB (Ethernet)

11:08:09.029231 IP (tos 0x0, ttl 104, id 30217, offset 0, flags [DF],
length: 52) 195.14.x.x.3034 > 192.168.246.105.4899: S [tcp sum ok]
3773502378:3773502378(0) win 32767 <mss 1452,nop,wscale
0,nop,nop,sackOK>

11:08:09.033731 IP (tos 0x0, ttl  64, id 64182, offset 0, flags [none],
length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
0:0(0) ack 3773502379 win 16000 <mss 1460>

11:08:09.112651 IP (tos 0x0, ttl  64, id 37805, offset 0, flags [none],
length: 40) 192.168.246.105.4899 > 195.14.x.x.3034: R [tcp sum ok]
0:0(0) ack 1 win 0

11:08:09.267803 IP (tos 0x0, ttl 104, id 30288, offset 0, flags [DF],
length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: . [tcp sum ok] ack 1
win 32767

11:08:09.268404 IP (tos 0x0, ttl  64, id 37806, offset 0, flags [none],
length: 40) 192.168.246.105.4899 > 195.14.x.x.3034: R [tcp sum ok]
1:1(0) win 0

11:08:09.314790 IP (tos 0x0, ttl 104, id 30289, offset 0, flags [DF],
length: 50) 195.14.x.x.3034 > 192.168.246.105.4899: P [tcp sum ok]
1:11(10) ack 1 win 32767

11:08:09.315780 IP (tos 0x0, ttl  64, id 37807, offset 0, flags [none],
length: 40) 192.168.246.105.4899 > 195.14.x.x.3034: R [tcp sum ok]
1:1(0) win 0

11:08:12.038379 IP (tos 0x0, ttl  64, id 34767, offset 0, flags [none],
length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
0:0(0) ack 3773502379 win 16000 <mss 1460>

11:08:12.254188 IP (tos 0x0, ttl 104, id 31271, offset 0, flags [none],
length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: R [tcp sum ok]
3773502379:3773502379(0) win 0

11:08:18.048603 IP (tos 0x0, ttl  64, id 30427, offset 0, flags [none],
length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
0:0(0) ack 3773502379 win 16000 <mss 1460>

11:08:18.244447 IP (tos 0x0, ttl 104, id 33222, offset 0, flags [none],
length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: R [tcp sum ok]
3773502379:3773502379(0) win 0

11:08:30.059046 IP (tos 0x0, ttl  64, id 20353, offset 0, flags [none],
length: 44) 192.168.246.105.4899 > 195.14.x.x.3034: S [tcp sum ok]
0:0(0) ack 3773502379 win 16000 <mss 1460>

11:08:30.272743 IP (tos 0x0, ttl 104, id 37499, offset 0, flags [none],
length: 40) 195.14.x.x.3034 > 192.168.246.105.4899: R [tcp sum ok]
3773502379:3773502379(0) win 0
Current thread:

iptables OUTBOUND TCP: Ensz, Sean A. (Jan 12)
- Re: iptables OUTBOUND TCP: Patrick McCarty (Jan 12)