Re: FW: iptables BUG help me!!
Hi Mike,
> Included at bottom is the output you wanted. I don't think your correct
> about the REJECT.
You're right - I was absolutely wrong about suggesting you look at that REJECT.
> > Dose this look way odd to any one?
> >
> > Chain FORWARD (policy ACCEPT 354 packets, 18360 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 37 1900 LOG tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4
> > 0 0 REJECT all -- * eth2+ 0.0.0.0/0
> > 10.0.0.0/24 reject-with icmp-net-unreachable
> > 0 0 DROP all -- eth2+ * 0.0.0.0/0
> > 0.0.0.0/0 state INVALID
> > 0 0 REJECT all -- eth2+ eth2+ 0.0.0.0/0
> > 0.0.0.0/0 reject-with icmp-net-unreachable
> > 2889 173K ACCEPT all -- eth0+ * 0.0.0.0/0
> > 0.0.0.0/0 state NEW
> > 4637 553K ACCEPT all -- eth0+ * 0.0.0.0/0
> > 0.0.0.0/0 state RELATED,ESTABLISHED
> > 0 0 LOG all -- eth0+ * 0.0.0.0/0
> > 0.0.0.0/0 state INVALID LOG flags 0 level 4
> > 4314 1559K ACCEPT all -- eth2+ * 0.0.0.0/0
> > 0.0.0.0/0 state RELATED,ESTABLISHED
> > 0 0 LOG tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4
> >
> > Why dose the first log match and the last one not!! These rules were
> > made
> > by a "iptables -{I,A} FORWARD -p tcp --sport 8436 -j LOG".
This LOG at the end of the FORWARD chain will never be matched. Note
the following rules taken from the middle of the ones shown above.
> > 0.0.0.0/0 state NEW
> > 4637 553K ACCEPT all -- eth0+ * 0.0.0.0/0
> > 0.0.0.0/0 state RELATED,ESTABLISHED
> > 0 0 LOG all -- eth0+ * 0.0.0.0/0
The LOG at the end will never match because one of these two rules will
have matched (usually the second one) - this is true at least for the
packets logged in your dmsg output below.
Once the packet has been accepted, no other rules will not be processed,
including your last LOG rule.
> > get my "iptables -t nat -A PREROUTING -i $IFACE+ -p tcp --dport 8436\
> > -j DNAT --to-destination 10.0.0.20:8436" rule working.
>
> > Here is some dmsg output.
> >
> > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=202.180.123.192 LEN=48 TOS=0x00
> > PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8436 DPT=4164 WINDOW=5840
> > RES=0x00
> > ACK SYN URGP=0
> > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> > PREC=0x00 TTL=63 ID=31805 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0
> > RES=0x00
> > ACK RST URGP=0
> > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> > PREC=0x00 TTL=63 ID=31806 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0
> > RES=0x00
> > ACK RST URGP=0
I'd use
iptables -A FORWARD -d 10.0.0.20 -i eth2+ -o eth0+ -m tcp --dport 8436 -m state --state NEW -j ACCEPT
Add it to the end of your existing FORWARD chain. The return packets will be handled
by your existing rule
iptables -A FORWARD -i eth0+ -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > Is this a connection tracing problem?
Don't think so.
> [0:0] -A FORWARD -d 10.0.0.0/255.255.255.0 -o eth2+ -j REJECT
> --reject-with icmp-net-unreachable
> [0:0] -A FORWARD -i eth2+ -m state --state INVALID -j DROP
> [0:0] -A FORWARD -i eth2+ -o eth2+ -j REJECT --reject-with
> icmp-net-unreachable
> [5123:269439] -A FORWARD -i eth0+ -m state --state NEW -j ACCEPT
> [368470:24215217] -A FORWARD -i eth0+ -m state --state
> RELATED,ESTABLISHED
> -j ACCEPT
> [0:0] -A FORWARD -i eth0+ -m state --state INVALID -j LOG
> [539265:756129396] -A FORWARD -i eth2+ -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> COMMIT
Much easier to read :)
Hope the above helps.
Cheers,
John
Reply to: