Odd firewall behavior

[justusranvier]

I have a firewall rule that automatically blacklists any ipaddress that tries to initiate incoming connections on ports which I am not actively listening for connections. It looks similar to this:

Code:

iptables -A INPUT -i eth1 -p tcp -m state --state NEW -m multiport ! --dports 22 -j SET --add-set blacklist src

The thing is, bitcointalk.org periodically ends up in my blacklist ipset. I can browse normally most of the time but every once in a while I notice that the forum won't load and I have to manually remove its address from the blacklist ipset. Is there any reason this should happen?

[1713920594]

1713920594

[1713920594]

1713920594

[theymos]

Is it port 22?

[justusranvier]

Is it port 22?

Unfortunately I don't have a log of the connection attempt that is tripping that rule. I've added a new logging rule but since it hasn't happened again yet I don't know specifically what triggered it. There isn't any good reason for your IP address to ever send me a packet with state NEW, is there?

[theymos]

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.

The server should never connect out to port 22.

[justusranvier]

If it's port 433, I would guess that your side ends the connection due to a timeout or something but we end up sending more data. This seems pretty likely to me.

If it's port 53, it might be caused by the reverse DNS lookups that we do. I think this could only happen with rare DNS configurations, though.

Maybe there are some cases where the forum would try to send email to your IP on port 25.

If it happens again I'll keep an eye out for those in the logs.

The server should never connect out to port 22.

Actually the way the rule works is that a connection attempt to port 22 will not result in a blacklisting. The actual rule includes a few other ports for servers that I run. The idea is that random hosts on the internet should not be trying to initiate connections to random ports so any that do can be assumed to be up to no good. I expect connections to port 22 though because sometimes I use SSH from outside this network.