IPtables flagging packets invalid, no access

Hi all,

Looking to get some help on an issue I'm having, preventing me from getting a certain new location going. New datacenter, connecting the feed they're providing me to L3 switch. Have not been able to set up a proper iptables f irewall in this location (everything is blocked, no access). Only way to ac cess is adding my IP to allow list.

Packets are being flagged as invalid, no reply to [SYN] packets from the se rver. Not sure if this is whats blocking or not.

This is what most of the blockings are saying: kernel: [20604.837769] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MA C= SRC=*MYIP* DST=*SERVERIP* LEN=48 TOS=0x00 PREC=0x00 TTL=11

2 ID=15851 DF PROTO=TCP SPT=61742 DPT=21 WINDOW=8192 RES=0x00 S YN URGP=0

Here's the invalid packet: kernel: [16708.550424] Firewall: *INVALID* IN=venet0 OUT= MAC= SR C=MYIP DST=SERVERIP LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=1228


I ran a Wireshark & tcpdump simultaneously to catch client/server side and here was the result: Client side (my PC): 77 4.434317000 SERVER-IP TCP 66 63866 > http [SYN] Seq=

0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1

Server side (server tcpdump) 1 0.000000 MY-ISP-IP SERVER-IP TCP 68 61992 > http [SYN] Seq=0 Win=

8192 Len=0 MSS=1452 WS=4 SACK_PERM=1

So the only thing I notice is that the server-side MSS is different then wh at the client (my PC) sent out. Is this normal, is this what's flagging as invalid?

Basically I'm trying to setup a cPanel server with csf firewall (which uses iptables) but as soon as its active I get no access, have to log onto VPS node, drop into via 'vzctl enter *' and shutdown iptables.

For hardware I'm using a Nortel Baystack 5510 L3 switch, and I believe that the DC is using a Cisco ASA but I could be wrong.

Any suggestions to the solution here would be greatly appreciated!! :)

Reply to
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.