[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: iptables BUG help me!!

Included at bottom is the output you wanted.  I don't think your correct
about the REJECT.  Firstly it only stops data TO my localnet from going
out the wrong interface.  Secondly it's packet counters are 0.  Thirdly
any reject would have been caught by tcpdump, there is a DROP some where.

This is just a shoot in the dark but I now suspect that a recent(a fue
weeks old) update of iptables has a bug with 64bit systems like this
sparc.  

--- John Reilly <JReilly@eSpatial.com> wrote:
>  
> Hi Mike, 
> 
> Its not 100% clear from you mail, but I suspect that its the first
> reject 
> statement that is blocking the packet.  I think you need to move the
> rule 
> that matches states ESTABLISHED or RELATED up before this first reject.
> 
> Personally I find it much easier to read the output from iptables-save
> 
> try "/etc/init.d/iptables save testing"
> 
> That will save the current rules to /var/lib/iptables/testing in a
> somewhat
> more readable format.  
> 
> Regards,
> John
> 
> -----Original Message-----
> From: Mike Mestnik
> To: lists.debian.org debian-firewal
> Sent: 4/16/04 9:44 PM
> Subject: iptables BUG help me!!
> 
> Dose this look way odd to any one?
> 
> Chain FORWARD (policy ACCEPT 354 packets, 18360 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination
>    37  1900 LOG        tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0           tcp spt:8436 LOG flags 0 level 4
>     0     0 REJECT     all  --  *      eth2+   0.0.0.0/0           
> 10.0.0.0/24         reject-with icmp-net-unreachable
>     0     0 DROP       all  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           state INVALID
>     0     0 REJECT     all  --  eth2+  eth2+   0.0.0.0/0           
> 0.0.0.0/0           reject-with icmp-net-unreachable
>  2889  173K ACCEPT     all  --  eth0+  *       0.0.0.0/0           
> 0.0.0.0/0           state NEW
>  4637  553K ACCEPT     all  --  eth0+  *       0.0.0.0/0           
> 0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 LOG        all  --  eth0+  *       0.0.0.0/0           
> 0.0.0.0/0           state INVALID LOG flags 0 level 4
>  4314 1559K ACCEPT     all  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           state RELATED,ESTABLISHED
>     0     0 LOG        tcp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0           tcp spt:8436 LOG flags 0 level 4
> 
> Why dose the first log match and the last one not!!  These rules were
> made
> by a "iptables -{I,A} FORWARD -p tcp --sport 8436 -j LOG".  I am trying
> to
> get my "iptables -t nat -A PREROUTING -i $IFACE+ -p tcp --dport 8436\
>                 -j DNAT --to-destination 10.0.0.20:8436" rule working. 
> Here is some dmsg output.
> 
> IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=202.180.123.192 LEN=48 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8436 DPT=4164 WINDOW=5840
> RES=0x00
> ACK SYN URGP=0 
> IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> PREC=0x00 TTL=63 ID=31805 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0
> RES=0x00
> ACK RST URGP=0 
> IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> PREC=0x00 TTL=63 ID=31806 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0
> RES=0x00
> ACK RST URGP=0 
> 
> Is this a connection tracing problem?
> train:/etc/network# iptables -v -n -t nat -L
> Chain PREROUTING (policy ACCEPT 2611 packets, 193K bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
>     0     0 DNAT       tcp  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:8080 to:10.0.0.130:8080 
>     0     0 DNAT       tcp  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:6344 to:10.0.0.25:6344 
>     0     0 DNAT       tcp  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:6699 to:10.0.0.25:6699 
>     0     0 DNAT       udp  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           udp dpt:6257 to:10.0.0.25:6257 
>   368 19039 DNAT       tcp  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:8436 to:10.0.0.20:8436 
>     0     0 DNAT       tcp  --  eth2+  *       0.0.0.0/0           
> 0.0.0.0/0           tcp dpt:6346 to:10.0.0.20:8436 
> 
> Chain POSTROUTING (policy ACCEPT 393 packets, 21072 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
>  2406  145K SNAT       all  --  *      eth2+   0.0.0.0/0           
> 0.0.0.0/0           to:24.245.9.227 
> 
> Chain OUTPUT (policy ACCEPT 85 packets, 6566 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
> 
> Hope some one knows the problem.
> 

# Generated by iptables-save v1.2.9 on Sat Apr 17 14:59:13 2004
*filter
:INPUT ACCEPT [1111:129874]
:FORWARD ACCEPT [4978:242745]
:OUTPUT ACCEPT [1111:129874]
[1155:110453] -A INPUT -i eth0+ -m state --state NEW -j ACCEPT
[13141:2701611] -A INPUT -i eth0+ -m state --state RELATED,ESTABLISHED -j
ACCEPT
[0:0] -A INPUT -i eth0+ -m state --state INVALID -j LOG
[0:0] -A INPUT -i eth2+ -m state --state INVALID -j DROP
[1618:498641] -A INPUT -i eth2+ -m state --state RELATED,ESTABLISHED -j
ACCEPT
[173:8720] -A INPUT -i eth2+ -p tcp -m multiport --dports
80,22,25,515,113,8181 -j ACCEPT
[0:0] -A INPUT -i eth2+ -p icmp -m icmp --icmp-type 9 -j ACCEPT
[0:0] -A INPUT -i eth2+ -p icmp -m icmp --icmp-type 10 -j ACCEPT
[0:0] -A INPUT -i eth2+ -p icmp -m icmp --icmp-type 13 -j ACCEPT
[0:0] -A INPUT -i eth2+ -p icmp -m icmp --icmp-type 17 -j ACCEPT
[2443:1133795] -A INPUT -i eth2+ -m state --state NEW -j DROP
[0:0] -A INPUT -i eth2+ -j DROP
[0:0] -A FORWARD -d 10.0.0.0/255.255.255.0 -o eth2+ -j REJECT
--reject-with icmp-net-unreachable
[0:0] -A FORWARD -i eth2+ -m state --state INVALID -j DROP
[0:0] -A FORWARD -i eth2+ -o eth2+ -j REJECT --reject-with
icmp-net-unreachable
[5123:269439] -A FORWARD -i eth0+ -m state --state NEW -j ACCEPT
[368470:24215217] -A FORWARD -i eth0+ -m state --state RELATED,ESTABLISHED
-j ACCEPT
[0:0] -A FORWARD -i eth0+ -m state --state INVALID -j LOG
[539265:756129396] -A FORWARD -i eth2+ -m state --state
RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -o eth0+ -m state --state INVALID -j LOG
[217:13033] -A OUTPUT -o eth0+ -m state --state NEW -j ACCEPT
[12245:6639016] -A OUTPUT -o eth0+ -m state --state RELATED,ESTABLISHED -j
ACCEPT
[0:0] -A OUTPUT -o eth0+ -m state --state INVALID -j LOG
[0:0] -A OUTPUT -o eth2+ -m state --state INVALID -j LOG
[403:26956] -A OUTPUT -o eth2+ -m state --state NEW -j ACCEPT
[1332:124154] -A OUTPUT -o eth2+ -m state --state RELATED,ESTABLISHED -j
ACCEPT
[0:0] -A OUTPUT -o eth2+ -m state --state INVALID -j LOG
COMMIT
# Completed on Sat Apr 17 14:59:13 2004
# Generated by iptables-save v1.2.9 on Sat Apr 17 14:59:13 2004
*nat
:PREROUTING ACCEPT [8855:1520561]
:POSTROUTING ACCEPT [5455:284034]
:OUTPUT ACCEPT [877:68009]
[2:120] -A PREROUTING -i eth2+ -p tcp -m tcp --dport 8080 -j DNAT
--to-destination 10.0.0.130:8080
[4974:242545] -A PREROUTING -i eth2+ -p tcp -m tcp --dport 8436 -j DNAT
--to-destination 10.0.0.20:8436
[0:0] -A PREROUTING -i eth2+ -p tcp -m tcp --dport 6344 -j DNAT
--to-destination 10.0.0.25:6344
[0:0] -A PREROUTING -i eth2+ -p tcp -m tcp --dport 6699 -j DNAT
--to-destination 10.0.0.25:6699
[0:0] -A PREROUTING -i eth2+ -p tcp -m tcp --dport 6257 -j DNAT
--to-destination 10.0.0.25:6257
[5486:293895] -A POSTROUTING -o eth2+ -j SNAT --to-source 24.245.9.227
COMMIT
# Completed on Sat Apr 17 14:59:13 2004



	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢ http://photos.yahoo.com/ph/print_splash
Reply to: