To cut a long story short, that ACK was sent when the socket didn't belong to anybody. Instead of allowing packets that pertain to a socket that belongs to user x
, allow packets that pertain to a connection that was initiated by a socket from user x
.
The longer story.
To understand the issue, it helps to understand how wget
and HTTP requests work in general.
In
wget http://cachefly.cachefly.net/10mb.test
wget
establishes a TCP connection to cachefly.cachefly.net
, and once established sends a request in the HTTP protocol that says: "Please send me the content of /10mb.test
(GET /10mb.test HTTP/1.1
) and by the way, could you please not close the connection after you're done (Connection: Keep-alive
). The reason it does that is because in case the server replies with a redirection for a URL on the same IP address, it can reuse the connection.
Now the server can reply with either, "here comes the data you requested, beware it's 10MB large (Content-Length: 10485760
), and yes OK, I'll leave the connection open". Or if it doesn't know the size of the data, "Here's the data, sorry I can't leave the connection open but I'll tell when you can stop downloading the data by closing my end of the connection".
In the URL above, we're in the first case.
So, as soon as wget
has obtained the headers for the response, it knows its job is done once it has downloaded 10MB of data.
Basically, what wget
does is read the data until 10MB have been received and exit. But at that point, there's more to be done. What about the server? It's been told to leave the connection open.
Before exiting, wget
closes (close
system call) the file descriptor for the socket. Upon, the close
, the system finishes acknowledging the data sent by the server and sends a FIN
to say: "I won't be sending any more data". At that point close
returns and wget
exits. There is no socket associated to the TCP connection anymore (at least not one owned by any user). However it's not finished yet. Upon receiving that FIN
, the HTTP server sees end-of-file when reading the next request from the client. In HTTP, that means "no more request, I'll close my end". So it sends its FIN as well, to say, "I won't be sending anything either, that connection is going away".
Upon receiving that FIN, the client sends a "ACK". But, at that point, wget
is long gone, so that ACK is not from any user. Which is why it is blocked by your firewall. Because the server doesn't receive the ACK, it's going to send the FIN over and over until it gives up and you'll see more dropped ACKs. That also means that by dropping those ACKs, you're needlessly using resources of the server (which needs to maintain a socket in the LAST-ACK state) for quite some time.
The behavior would have been different if the client had not requested "Keep-alive" or the server had not replied with "Keep-alive".
As already mentioned, if you're using the connection tracker, what you want to do is let every packet in the ESTABLISHED and RELATED states through and only worry about NEW
packets.
If you allow NEW
packets from user x
but not packets from user y
, then other packets for established connections by user x
will go through, and because there can't be established connections by user y
(since we're blocking the NEW
packets that would establish the connection), there will not be any packet for user y
connections going through.
Iptables chains are just lists of rules, processed in order. They can be one of the fixed built-in ones (INPUT
, OUTPUT
, FORWARD
in the default filter
table, some others in e.g. the nat
table), or user-defined ones, which can then be called from others.
As the -A
(append), -I
(insert) and -D
(delete) commands imply, the rules in the chains are freely editable, they're not fixed.
In the following command is INPUT
the name of a chain?
Yes.
Is it a name that I can give arbitrarily?
That one isn't, it's the built-in chain that contains rules for packets entering the system (destined for processes running on the host). The other two in the default filter
table are OUTPUT
(packets coming from the system, obviously), and FORWARD
(routed packets).
The man page iptables(8)
has the descriptions of the tables and their built-in chains (under TABLES
).
Of course you could place any rules for input packets in an arbitrary user-defined chain, then you'd just need to add a rule to INPUT
referring to that chain. (e.g. iptables -A INPUT -j mychain
would jump to mychain
and process any rules there.)
Does this chain have exactly two rules?
We don't know that. Those two commands append two rules to the chain. But there might be others that were already there before those commands were run.
If you had iptables -F INPUT
as the first command before those two, then the result would be that only those two rules remained.
See also: How iptables tables and chains are traversed which contain links to all you never needed to know about this, e.g.
https://stuffphilwrites.com/2014/09/iptables-processing-flowchart/. (You may want to ignore the raw
and mangle
tables to start with, they're that often needed.)
Best Answer
It means you are allowed to receive multicast dns packets (dpt = destination port, 5353 = multicast dns), udp is the protocol, 224.0.0.251 is a destination multicast address, 0.0.0.0/0 means from anywhere.
ctstate new
means if the connection is new (packets related to "not new", ie, established, connections would be accepted via a more general rule).In case you are not aware, on a low level, all computers on a network receive all packets send by any other computer; then they each sort them out themselves.