I have a Rails server (ROR) behind my Firewall (FWL). ROR must constantly send information to Digital Ocean Spaces (DOS). Note that ROR is not in Digital Ocean datacenter.
ROR <--> FWL <--> Internet <--> DOS
My firewall has the following rule:
# Only register invalid FORWARD packages
${IPT} -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-level alert --log-prefix 'DROP FORWARD_INV: '
#${IPT} -A FORWARD -m conntrack --ctstate INVALID -j DROP
So, I am just logging it, yet I'm ready to block it.
Then, my conclusions will start on Jan 16:
$ # Note: 138.68.32.225 is sfo2.digitaloceanspaces.com.
$ sudo grep -E "FORWARD_INV:.*138.68.32.225" /var/log/kern.log | head -1
Jan 16 00:10:47 prd1fwl100 kernel: [2660776.069502] DROP FORWARD_INV: IN=ens20 OUT=ens18 MAC=96:c5:9a:8e:13:0d:52:b4:ff:05:19:d7:08:00 SRC=172.21.20.2 DST=138.68.32.225 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=14134 DF PROTO=TCP SPT=39966 DPT=443 WINDOW=601 RES=0x00 ACK RST URGP=0
And here's what I'm not getting!!!
$ sudo grep -E "FORWARD_INV:.*138.68.32.225" /var/log/kern.log | wc -l
2971
$ sudo grep -E "FORWARD_INV:.*138.68.32.225" /var/log/kern.log | awk '{print $25,$26}' | sort | uniq -c
2957 ACK RST
14 RST URGP=0
Why the software in ROR server is terminating it's communication with DOS using ACK/RST? Wasn't it supposed to use FIN instead? Why Netfilter module tag this ACK/RST as Invalid?
0 Answers