Re: Help with ipchains on Potato -- problem with -s?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That was easy -- both Oscar and David seem to have found the cause and the
solution of the problem I was having. Checking my firewall with ipchains
- -L hung up sometimes when it was doing a reverse-lookup of the IP addresses
in the rules, so ipchains -L -n (to prevent the DNS lookup) worked fine.
Many thanks to you both!
Marc
On Thu, 11 Oct 2001, Oscar Pearce wrote:
>Looks like a problem with reverse-DNS. Does ipchains -L *chain* -n hang?
>
>Oscar
On Fri, 12 Oct 2001, David Anso wrote:
>Run "ipchains -L -n" to stop the DNS trying to lookup the 192 address. It
>appears it's all working, but trying to find the DNS name of 192.168.0.0
>
>David
My original message:
>> Hi,
>
>> I've been trying to configure a firewall using ipchains on a machine
>> running pretty much a stock installation of Potato -- I've done the
>apt-get
>> upgrade but not dist-upgrade. My kernel is the default 2.2.19pre17, and
>> given that /proc/net/ip_fwchains exists, I figure it has the appropriate
>> support for using ipchains.
>
>> My problem is this: whenever I use ipchains to try to filter by source
>> address, i.e. with -s x.x.x.x/x as an option, something goes wrong.
>
>> Details (I'll use *chain* to stand for any one of the chains):
>
>> All the following ipchains commands work properly (i.e. checking with
>> ipchains -L returns an intelligible response, and the packet filter seems
>> to behave as it should given the ipchains commands):
>
>> ipchains -F *chain*
>> ipchains -P *chain* DENY
>> ipchains -A input -i lo -j ACCEPt
>> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
>> ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT
>> ipchains -A input -j DENY -l
>
>> BUT when I try to filter by source address, e.g.
>
>> ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY
>
>> and check with ipchains -L to see my rule set, ipchains -L just seems to
>> hang, and prints out just this:
>
>> Chain input (policy ACCEPT):
>> target prot opt source destination ports
>
>
>> I have to hit ctrl-c to get the prompt back.
>
>> When I look at /proc/net/ip_fwchains, it seems that rules with -s options
>> make a change there (i.e. it looks like the rule gets registered there,
>> when I check that file with more), but ipchains -L just hangs there.
>
>> One more complication: this doesn't happen every time. Oddly, sometimes
>> my whole firewall script runs and everything works -- I get a proper
>> response from ipchains -L. But sometimes it doesn't. I've tried to
>> establish a pattern, but other than noting that it seems to be using
>> ipchains with the -s option that triggers it, I can't seem to detect
>> anything that might indicate why it works sometimes but not others.
>> Absolutely maddening.
>
>> Any ideas? Anything I'm missing, or anywhere else I can check?
>
>> Thanks,
>> Marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7xfrDwCp3zWOyN7gRApclAKDTMcSTr75TJfgzza3AeKWhNEheOwCdGbCG
Ml8bpusoN/DYpkvC5BSUf8I=
=v9zf
-----END PGP SIGNATURE-----
Reply to: