Looking to get some help on an issue I'm having, preventing me from getting a certain new location going. New datacenter, connecting the feed they're providing me to L3 switch. Have not been able to set up a proper iptables f irewall in this location (everything is blocked, no access). Only way to ac cess is adding my IP to allow list.
Packets are being flagged as invalid, no reply to [SYN] packets from the se rver. Not sure if this is whats blocking or not.
This is what most of the blockings are saying: kernel: [20604.837769] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MA C= SRC=*MYIP* DST=*SERVERIP* LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=15851 DF PROTO=TCP SPT=61742 DPT=21 WINDOW=8192 RES=0x00 S YN URGP=0
Here's the invalid packet: kernel: [16708.550424] Firewall: *INVALID* IN=venet0 OUT= MAC= SR C=MYIP DST=SERVERIP LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=12281 DF PROTO=TCP SPT=60992 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
I ran a Wireshark & tcpdump simultaneously to catch client/server side and here was the result: Client side (my PC): 77 4.434317000 192.168.2.244 SERVER-IP TCP 66 63866 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1
Server side (server tcpdump) 1 0.000000 MY-ISP-IP SERVER-IP TCP 68 61992 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1452 WS=4 SACK_PERM=1
So the only thing I notice is that the server-side MSS is different then wh at the client (my PC) sent out. Is this normal, is this what's flagging as invalid?
Basically I'm trying to setup a cPanel server with csf firewall (which uses iptables) but as soon as its active I get no access, have to log onto VPS node, drop into via 'vzctl enter *' and shutdown iptables.
For hardware I'm using a Nortel Baystack 5510 L3 switch, and I believe that the DC is using a Cisco ASA but I could be wrong.
Any suggestions to the solution here would be greatly appreciated!! :)