I recently enabled outbound logging on my linode vps just to see what would happen and I am seeing lots of logs via logcheck similar to the following:

System Events
=-=-=-=-=-=-=
Mar 31 19:50:51 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=***.**.***.*** DST=90.212.12.241 LEN=8800 TOS=0x00 PREC=0x00 TTL=64 ID=13994 DF PROTO=TCP SPT=80 DPT=59187 WINDOW=986 RES=0x00 ACK URGP=0

The blocked outgoing packets are mainly from port 80 but some originate from port 25.

My iptables rules are briefly as follows:

# Open the folliwng incoming ports
#
iptables -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
#
# Open the folliwng outbound ports
#
iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#
# Logging options - can produce a lot of info!
#
iptables -A OUTPUT -j LOG --log-prefix "Drop illegal outgoing pkt: "

The Debian squeeze server has always been kept updated and has ossec on it monitoring any file changes. The server seems to run as intended and I can see some of the ip address my server is trying to send packets to connecting to my apache web server. Therefore, if this looks like normal behavior, are my iptables too strict or does this look like abnormal behavior?

Most likely, those are outgoing packets for incoming HTTP connections (i.e. someone is requesting a web page on your server). Since none of your rules explicitly allow outgoing packets for established connections with source port 80, it is hitting the logging rule.

Good news: not a difficult fix. Starting the rules with "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" and "-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" should do the right thing.

Bad news: if your web server is up, your firewall rules aren't doing anything. -P INPUT DROP and (if you dare) -P OUTPUT DROP will make them start working. Might want to allow port 22 inbound before you do that.

_________________

/* TODO: need to add signature to posts */

I only posted a brief selection of my iptables.

The full script just copied from the server is as follows:

##!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
#
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 iptables -A INPUT -p tcp -m state --state NEW --source xx.xx.xxx.xx/29  --dport 50*** -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Block ip addresses
#
 iptables -A INPUT -s 188.165.238.177 -p tcp --dport 80 -j DROP
 iptables -A INPUT -s 83.222.230.108 -p tcp --dport 80 -j DROP
#
# Open the folliwng incoming ports
#
 iptables -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
 iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
 iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
#
# Open the folliwng outbound ports
#
 iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
 iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
 iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT
 iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
#
# Ping Accept ## comment out ping if not required
#
# iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
# iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
# iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# Logging options - can produce a lot of info!
#
# iptables -A INPUT -j LOG --log-prefix "Drop illegal incoming pkt: "
 iptables -A OUTPUT -j LOG --log-prefix "Drop illegal outgoing pkt: "
#
# Save settings
#
 iptables-save -c > /etc/iptables.rules
#
# List rules
#
 iptables -L -v

My default policy is drop everything and I use ssh on a nonstandard port restricted to my own lan ip addresses. I am no iptables expert so feel free to slap me down for anything that is not right and I will adjust as necessary.

OK, that pretty much covers that. Could you paste the output of "iptables -L -n -v"? I wonder if things are going together in a weird order...

_________________

/* TODO: need to add signature to posts */

Ok here is the output:

root@vps:~# iptables -L -n -v
Chain INPUT (policy DROP 1694 packets, 84578 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   404 ACCEPT     tcp  --  *      *       xx.xx.xxx.xx/29      0.0.0.0/0           state NEW tcp dpt:50xxx
62638 5152K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 822K  136M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       188.165.238.177      0.0.0.0/0           tcp dpt:80
    0     0 DROP       tcp  --  *      *       83.222.230.108       0.0.0.0/0           tcp dpt:80
   54  2688 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 state NEW
70622 4123K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
 1269 73316 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 20 packets, 51308 bytes)
 pkts bytes target     prot opt in     out     source               destination
62638 5152K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 598K  861M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  256 15360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53 state NEW
  708 48668 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 state NEW
   20  1200 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
 2722  207K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123 state NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
 2824 4426K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `Drop illegal outgoing pkt: '

I have blanked out my ssh port and lan ip address range but they are shown correctly.

It seems to match my script rules to me.

Do you think I need to be concerned about the blocked outgoing packets? Let me know what you think?

Here is another example of a logcheck e-mail I am receiving. The ip addresses my server is trying the contact on a high port seem to be consumer broadband ip addresses.

This email is sent by logcheck. If you no longer wish to receive
such mail, you can either deinstall the logcheck package or modify
its configuration file (/etc/logcheck/logcheck.conf).

System Events
=-=-=-=-=-=-=
Apr  2 11:03:48 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=2.222.60.12 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=49357 WINDOW=14600 RES=0x00 ACK SYN URGP=0
Apr  2 11:45:37 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=8452 TOS=0x00 PREC=0x00 TTL=64 ID=30923 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK URGP=0
Apr  2 11:45:37 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=8452 TOS=0x00 PREC=0x00 TTL=64 ID=30929 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK URGP=0
Apr  2 11:45:37 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=8452 TOS=0x00 PREC=0x00 TTL=64 ID=42840 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK URGP=0
Apr  2 11:45:37 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=8452 TOS=0x00 PREC=0x00 TTL=64 ID=42846 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK URGP=0
Apr  2 11:45:40 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=30935 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:45:40 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=42852 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:45:46 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=30936 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:45:46 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=42853 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:45:58 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=30937 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:45:58 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=42854 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:46:22 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=30938 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:46:22 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=42855 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:47:10 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=30939 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:47:10 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=42856 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:48:46 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=42857 DF PROTO=TCP SPT=80 DPT=40020 WINDOW=16080 RES=0x00 ACK PSH URGP=0
Apr  2 11:48:46 vps kernel: Drop illegal outgoing pkt: IN= OUT=eth0 SRC=xxx.xx.xxx.xxx DST=80.176.146.14 LEN=1442 TOS=0x00 PREC=0x00 TTL=64 ID=30940 DF PROTO=TCP SPT=80 DPT=40019 WINDOW=16080 RES=0x00 ACK PSH URGP=0

Both these ip addresses show up in my apache log as windows computers using a firefox brower --> 2.222.60.12 - - [02/Apr/2012:11:02:16 +0100] "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" & 80.176.146.14 - - [02/Apr/2012:11:43:51 +0100] "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0"

Does it look like my server is misbehaving?