Re: SV: iptables BUG help me!!
When I remove the first LOG it still dose not match the second. Also non
of the counters exepting the ACCEPT counters get incremented. FWIW I
thought the LOG target was special in that it returned.
tcpdump showes this...
1. SYN coming in.
2. A DNATed SYN going out.
3. SYN+ACK coming in.
4. Dose not show SNATed SYN+ACK going out. This is what I'm LOGing.
--- Martin E Schyth <martin@schyth.dk> wrote:
>
> I would suggest this:
>
> The forward chain only handles the first entry the matches the packet.
> So the first entry logs the packet, and therefore never gets to the
> second
> rule, even though it also matches.
>
> /Martin
>
>
> -----Oprindelig meddelelse-----
> Fra: Mike Mestnik [mailto:cheako911@yahoo.com]
> Sendt: 16. april 2004 22:45
> Til: lists.debian.org debian-firewal
> Emne: iptables BUG help me!!
>
>
> Dose this look way odd to any one?
>
> Chain FORWARD (policy ACCEPT 354 packets, 18360 bytes)
> pkts bytes target prot opt in out source
> destination
> 37 1900 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4
> 0 0 REJECT all -- * eth2+ 0.0.0.0/0
> 10.0.0.0/24 reject-with icmp-net-unreachable
> 0 0 DROP all -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 state INVALID
> 0 0 REJECT all -- eth2+ eth2+ 0.0.0.0/0
> 0.0.0.0/0 reject-with icmp-net-unreachable
> 2889 173K ACCEPT all -- eth0+ * 0.0.0.0/0
> 0.0.0.0/0 state NEW
> 4637 553K ACCEPT all -- eth0+ * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 LOG all -- eth0+ * 0.0.0.0/0
> 0.0.0.0/0 state INVALID LOG flags 0 level 4
> 4314 1559K ACCEPT all -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4
>
> Why dose the first log match and the last one not!! These rules were
> made
> by a "iptables -{I,A} FORWARD -p tcp --sport 8436 -j LOG". I am trying
> to
> get my "iptables -t nat -A PREROUTING -i $IFACE+ -p tcp --dport 8436\
> -j DNAT --to-destination 10.0.0.20:8436" rule working.
> Here is some dmsg output.
>
> IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=202.180.123.192 LEN=48 TOS=0x00
> PREC=0x00
> TTL=63 ID=0 DF PROTO=TCP SPT=8436 DPT=4164 WINDOW=5840 RES=0x00 ACK SYN
> URGP=0
> IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> PREC=0x00
> TTL=63 ID=31805 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0 RES=0x00 ACK RST
> URGP=0
> IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> PREC=0x00
> TTL=63 ID=31806 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0 RES=0x00 ACK RST
> URGP=0
>
> Is this a connection tracing problem?
> train:/etc/network# iptables -v -n -t nat -L
> Chain PREROUTING (policy ACCEPT 2611 packets, 193K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:8080 to:10.0.0.130:8080
> 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:6344 to:10.0.0.25:6344
> 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:6699 to:10.0.0.25:6699
> 0 0 DNAT udp -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 udp dpt:6257 to:10.0.0.25:6257
> 368 19039 DNAT tcp -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:8436 to:10.0.0.20:8436
> 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:6346 to:10.0.0.20:8436
>
> Chain POSTROUTING (policy ACCEPT 393 packets, 21072 bytes)
> pkts bytes target prot opt in out source
> destination
> 2406 145K SNAT all -- * eth2+ 0.0.0.0/0
> 0.0.0.0/0 to:24.245.9.227
>
> Chain OUTPUT (policy ACCEPT 85 packets, 6566 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Hope some one knows the problem.
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - File online by April 15th
> http://taxes.yahoo.com/filing.html
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>
>
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html
Reply to: