Firewall Resetting ACK packages

September 24, 2018 at 13:40:12
Specs: Red Hat Enterprise 7, T5240
Hi,

Edited: The correct title of this post is: Firewall Resetting SYN requests

I have Zabbix in my SO (Red Hat Enterprise 7) and, as we now, use port 10050 as default.

The problem is my firewall definition is sending RESET for all SYN request, like bellow:

# tcpdump -i any -n port 10050
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:31:34.998683 IP 10.129.251.46.37033 > 10.221.27.16.zabbix-agent: Flags [S], seq 3130954167, win 14600, options [mss 1460,sackOK,TS val 1986722805 ecr 0,nop,wscale 9], length 0
17:31:34.998683 IP 10.129.251.46.37033 > 10.221.27.16.zabbix-agent: Flags [S], seq 3130954167, win 14600, options [mss 1460,sackOK,TS val 1986722805 ecr 0,nop,wscale 9], length 0
17:31:34.998748 IP 10.221.27.16.zabbix-agent > 10.129.251.46.37033: Flags [R.], seq 0, ack 3130954168, win 0, length 0
17:31:34.998750 IP 10.221.27.16.zabbix-agent > 10.129.251.46.37033: Flags [R.], seq 0, ack 1, win 0, length 0

Bellow some useful information.


ifcfg-team0 - When I remove de zone line, it works (but i have to keep it)

# cat ifcfg-team0
UUID=6840cc90-1a1c-4510-a13a-015c6035ca58
DEVICE=team0
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=team0
ONBOOT=yes
DEVICETYPE=Team
TEAM_CONFIG="{\"device\":\"team0\",\"runner\":{\"name\":\"activebackup\"},\"link_watch\":{\"name\":\"ethtool\"},\"ports\":{\"eno1\":{\"prio\":100},\"eno49\":{\"prio\":-10,\"sticky\":true}}}"
DOMAIN=claro.com.br
ZONE=ledefaultzone
IPADDR=10.221.27.16
PREFIX=26
GATEWAY=10.221.27.1
NETMASK=255.255.255.192
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes


Information about iptable definition:


# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Jul  6 12:33:12 2018
*nat
:PREROUTING ACCEPT [43312:1382232]
:INPUT ACCEPT [7388:444286]
:OUTPUT ACCEPT [1135241:79983683]
:POSTROUTING ACCEPT [1093663:78653187]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_ledefaultzone - [0:0]
:POST_ledefaultzone_allow - [0:0]
:POST_ledefaultzone_deny - [0:0]
:POST_ledefaultzone_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ledefaultzone - [0:0]
:PRE_ledefaultzone_allow - [0:0]
:PRE_ledefaultzone_deny - [0:0]
:PRE_ledefaultzone_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o team2 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o team0 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o team1 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o eno52 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o eno4 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o eno50 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o eno2 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o eno49 -g POST_ledefaultzone
-A POSTROUTING_ZONES -o eno1 -g POST_ledefaultzone
-A POSTROUTING_ZONES -g POST_ledefaultzone
-A POST_ledefaultzone -j POST_ledefaultzone_log
-A POST_ledefaultzone -j POST_ledefaultzone_deny
-A POST_ledefaultzone -j POST_ledefaultzone_allow
-A PREROUTING_ZONES -i team2 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i team0 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i team1 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno52 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno4 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno50 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno2 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno49 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno1 -g PRE_ledefaultzone
-A PREROUTING_ZONES -g PRE_ledefaultzone
-A PREROUTING_direct -d 10.221.27.16/32 -p tcp -m tcp --dport 10700 -j DNAT --to-destination 192.168.1.19:10700
-A PRE_ledefaultzone -j PRE_ledefaultzone_log
-A PRE_ledefaultzone -j PRE_ledefaultzone_deny
-A PRE_ledefaultzone -j PRE_ledefaultzone_allow
COMMIT
# Completed on Fri Jul  6 12:33:12 2018
# Generated by iptables-save v1.4.21 on Fri Jul  6 12:33:12 2018
*mangle
:PREROUTING ACCEPT [68272913:9140130507]
:INPUT ACCEPT [68252127:9139548499]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53213163:7507794346]
:POSTROUTING ACCEPT [58276738:8009007163]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_ledefaultzone - [0:0]
:PRE_ledefaultzone_allow - [0:0]
:PRE_ledefaultzone_deny - [0:0]
:PRE_ledefaultzone_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i team2 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i team0 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i team1 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno52 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno4 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno50 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno2 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno49 -g PRE_ledefaultzone
-A PREROUTING_ZONES -i eno1 -g PRE_ledefaultzone
-A PREROUTING_ZONES -g PRE_ledefaultzone
-A PRE_ledefaultzone -j PRE_ledefaultzone_log
-A PRE_ledefaultzone -j PRE_ledefaultzone_deny
-A PRE_ledefaultzone -j PRE_ledefaultzone_allow
COMMIT
# Completed on Fri Jul  6 12:33:12 2018
# Generated by iptables-save v1.4.21 on Fri Jul  6 12:33:12 2018
*security
:INPUT ACCEPT [68230302:9138791641]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [53171585:7506463850]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Jul  6 12:33:12 2018
# Generated by iptables-save v1.4.21 on Fri Jul  6 12:33:12 2018
*raw
:PREROUTING ACCEPT [68272913:9140130507]
:OUTPUT ACCEPT [53213163:7507794346]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Jul  6 12:33:12 2018
# Generated by iptables-save v1.4.21 on Fri Jul  6 12:33:12 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_ledefaultzone - [0:0]
:FWDI_ledefaultzone_allow - [0:0]
:FWDI_ledefaultzone_deny - [0:0]
:FWDI_ledefaultzone_log - [0:0]
:FWDO_ledefaultzone - [0:0]
:FWDO_ledefaultzone_allow - [0:0]
:FWDO_ledefaultzone_deny - [0:0]
:FWDO_ledefaultzone_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_ledefaultzone - [0:0]
:IN_ledefaultzone_allow - [0:0]
:IN_ledefaultzone_deny - [0:0]
:IN_ledefaultzone_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i team2 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i team0 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i team1 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i eno52 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i eno4 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i eno50 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i eno2 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i eno49 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -i eno1 -g FWDI_ledefaultzone
-A FORWARD_IN_ZONES -g FWDI_ledefaultzone
-A FORWARD_OUT_ZONES -o team2 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o team0 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o team1 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o eno52 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o eno4 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o eno50 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o eno2 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o eno49 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -o eno1 -g FWDO_ledefaultzone
-A FORWARD_OUT_ZONES -g FWDO_ledefaultzone
-A FWDI_ledefaultzone -j FWDI_ledefaultzone_log
-A FWDI_ledefaultzone -j FWDI_ledefaultzone_deny
-A FWDI_ledefaultzone -j FWDI_ledefaultzone_allow
-A FWDI_ledefaultzone -p icmp -j ACCEPT
-A FWDO_ledefaultzone -j FWDO_ledefaultzone_log
-A FWDO_ledefaultzone -j FWDO_ledefaultzone_deny
-A FWDO_ledefaultzone -j FWDO_ledefaultzone_allow
-A INPUT_ZONES -i team2 -g IN_ledefaultzone
-A INPUT_ZONES -i team0 -g IN_ledefaultzone
-A INPUT_ZONES -i team1 -g IN_ledefaultzone
-A INPUT_ZONES -i eno52 -g IN_ledefaultzone
-A INPUT_ZONES -i eno4 -g IN_ledefaultzone
-A INPUT_ZONES -i eno50 -g IN_ledefaultzone
-A INPUT_ZONES -i eno2 -g IN_ledefaultzone
-A INPUT_ZONES -i eno49 -g IN_ledefaultzone
-A INPUT_ZONES -i eno1 -g IN_ledefaultzone
-A INPUT_ZONES -g IN_ledefaultzone
-A INPUT_direct -p tcp -m tcp --dport 10000 -m limit --limit 100/sec --limit-burst 1 -j ACCEPT
-A INPUT_direct -p tcp -m tcp --dport 10020 -m limit --limit 100/sec --limit-burst 1 -j ACCEPT
-A INPUT_direct -p tcp -m tcp --dport 11000 -m limit --limit 100/sec --limit-burst 1 -j ACCEPT
-A INPUT_direct -p tcp -m tcp --dport 11020 -m limit --limit 100/sec --limit-burst 1 -j ACCEPT
-A INPUT_direct -i team1 -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT_direct -i team1 -p udp -m udp -j ACCEPT
-A IN_ledefaultzone -j IN_ledefaultzone_log
-A IN_ledefaultzone -j IN_ledefaultzone_deny
-A IN_ledefaultzone -j IN_ledefaultzone_allow
-A IN_ledefaultzone -p icmp -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10050 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 20701 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 7199 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 4040 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33003 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10742 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33005 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 1099 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10701 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33002 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 11443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10020 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 20601 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33004 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 11020 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p udp -m udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10700 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33006 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10760 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10288 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 20700 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 33001 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10080 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 23232 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10388 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 20600 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 10181 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ledefaultzone_allow -p tcp -m tcp --dport 11000 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT_direct -p icmp -j ACCEPT
-A OUTPUT_direct -p tcp -m multiport --dports 53,22,80,443 -j ACCEPT
-A OUTPUT_direct -p tcp -m multiport --dports 1024:65535 -j ACCEPT
-A OUTPUT_direct -p udp -m multiport --dports 1024:65535 -j ACCEPT
-A OUTPUT_direct -p udp -m udp --dport 161 -j ACCEPT
-A OUTPUT_direct -p udp -m udp --dport 162 -j ACCEPT
-A OUTPUT_direct -p udp -m udp --dport 705 -j ACCEPT
-A OUTPUT_direct -p tcp -m multiport --sports 53,22,80,443 -j ACCEPT
-A OUTPUT_direct -p tcp -m multiport --sports 1024:65535 -j ACCEPT
-A OUTPUT_direct -p udp -m multiport --sports 1024:65535 -j ACCEPT
-A OUTPUT_direct -p udp -m udp --sport 161 -j ACCEPT
-A OUTPUT_direct -p udp -m udp --sport 162 -j ACCEPT
-A OUTPUT_direct -p udp -m udp --sport 705 -j ACCEPT
-A OUTPUT_direct -j DROP
COMMIT
# Completed on Fri Jul  6 12:33:12 2018

Does anyone know how can I free the port 10050 ?

message edited by surfistadesampa


See More: Firewall Resetting ACK packages

Reply ↓  Report •
Related Solutions


Ask Question