error tcp: invalid tcp establishement handshake

[blotgg]

If I use module = "packet/nfqueue"
and use local http = require('protocol/http')

I have error when connect to HTTP servers:
error tcp: invalid tcp establishement handshake
And I can't open web page.

If I delete string local http = require('protocol/http') I don't have this error and I can open web page.

---

Configuration daemon.conf:

[general]
configuration = "tcpfilter.lua"
pass-through = no

[packet]
module = "packet/nfqueue"

interfaces = "eth2"

[log]
module = "log/syslog"

---

---

Configuration tcpfilter.lua:

require('protocol/ipv4')
local tcp = require('protocol/tcp')
local http = require('protocol/http')

-- Allow only packets to/from port 80
haka.rule{
        hook = tcp.events.receive_packet,
        eval = function (pkt)
                -- The next line will generate a lua error:
                -- there is no 'destport' field. Replace 'destport' by 'dstport'
                if pkt.dstport == 80 or pkt.srcport == 80 then
                        haka.log("Authorizing trafic on port 80")
                else
                        haka.log("Trafic not authorized on port %d", pkt.dstport)
                        pkt:drop()
                end
        end
}

[mtalbi]

Hi blotgg,

I ran your script with your configuration file and it worked fine. Could you provide us with a pcap that triggers this error ? You can add the following to your daemon.conf to save input and output trafic into pcap files :

dump = yes
dump_input = "/tmp/input.pcap"
dump_output = "/tmp/output.pcap"

[blotgg]

Hi mtalbi,
I captured trafic and recorded haka's logs. https://goo.gl/fEgTUJ
Perhaps reason of error because I'm using NAT?

Alerts from log file:

alert: id = 46
        time = Fri Jun 26 16:59:23 2015
        severity = low
        description = no connection found for tcp packet
        sources = {
                address: 192.168.0.2
                service: tcp/50195
        }
        targets = {
                address: 178.154.131.215
                service: tcp/80
        }

[mtalbi]

Hi,

Sorry for the delay,

Can you run again the script with a single thread (thread=1 in daemon.conf) and check if the problem is still there.

[blotgg]

Hello,

Unfortunately the problem is not resolved( I saved again trafic with thread=1
https://drive.google.com/file/d/0B6-p-Th9K4U9dzBDUlZXeXVSRGc/view?usp=sharing

Maybe the problem is in the network configuration?

[mtalbi]

Ok. It seems that Haka is captirung only upcoming packets. Incoming packets arrives through another interface.

Try to capture packets on all interfaces (i.e. interfaces = "any" in daemon.conf). This will fix the problem.

[blotgg]

...
info  nfqueue: installing iptables rules for device(s) any
error nfqueue: 'any' is not a valid network interface
...

Haka supports "any" interfaces ?

[mtalbi]

Ah... "any" keywork works only with pcap packet capture module. Select instead your list of interfaces as following. This will instruct Haka to capture packets on interfaces eth0, eth1 and eth2:

interfaces = "eth0, eth1, eth2"