Re: FW: iptables BUG help me!!
Thank you John for all your help. I don't understand why it's not
working. tcpdump showes that a CLOSED(RST) or an OPEN(SYN+ACK) reply gets
droped however [1]other TCP trafic is allowed throught. 1. This traffic
gets RSTs in reply as the remot host never gets the SYN+ACK to complete
the connection.
I added iptables -A FORWARD -o $IFACE+ -p tcp -d $2 --dport $3\
-m state --state NEW -j ACCEPT
to my rules and it's better but I don't see why. I also can't tell if
this fixes the problem I still get some connection drops. It is still a
big problem that no DROP or even REJECT rule showes any matches.
The other thing I'm tracking down is my qdisc rules however thay do not
have enuff drops. I used iptables from stable with no change.
Some comments within.
--- John Reilly <jr@inconspicuous.org> wrote:
>
> Hi Mike,
>
> > Included at bottom is the output you wanted. I don't think your
> correct
> > about the REJECT.
>
> You're right - I was absolutely wrong about suggesting you look at that
> REJECT.
>
>
> > > Dose this look way odd to any one?
> > >
> > > Chain FORWARD (policy ACCEPT 354 packets, 18360 bytes)
> > > pkts bytes target prot opt in out source
> > > destination
> > > 37 1900 LOG tcp -- * * 0.0.0.0/0
> > > 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4
> > > 0 0 REJECT all -- * eth2+ 0.0.0.0/0
> > > 10.0.0.0/24 reject-with icmp-net-unreachable
> > > 0 0 DROP all -- eth2+ * 0.0.0.0/0
> > > 0.0.0.0/0 state INVALID
> > > 0 0 REJECT all -- eth2+ eth2+ 0.0.0.0/0
> > > 0.0.0.0/0 reject-with icmp-net-unreachable
> > > 2889 173K ACCEPT all -- eth0+ * 0.0.0.0/0
> > > 0.0.0.0/0 state NEW
> > > 4637 553K ACCEPT all -- eth0+ * 0.0.0.0/0
> > > 0.0.0.0/0 state RELATED,ESTABLISHED
> > > 0 0 LOG all -- eth0+ * 0.0.0.0/0
> > > 0.0.0.0/0 state INVALID LOG flags 0 level 4
> > > 4314 1559K ACCEPT all -- eth2+ * 0.0.0.0/0
> > > 0.0.0.0/0 state RELATED,ESTABLISHED
> > > 0 0 LOG tcp -- * * 0.0.0.0/0
> > > 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4
> > >
> > > Why dose the first log match and the last one not!! These rules
> were
> > > made
> > > by a "iptables -{I,A} FORWARD -p tcp --sport 8436 -j LOG".
>
>
> This LOG at the end of the FORWARD chain will never be matched. Note
> the following rules taken from the middle of the ones shown above.
>
Your right so then how come tcpdump dosen't show the packet [2]leaving the
host? and more so howcome the other hosts don't receve the packet.
2. The packet dose reach in internal interface and dose get loged as shown
b4.
> > > 0.0.0.0/0 state NEW
> > > 4637 553K ACCEPT all -- eth0+ * 0.0.0.0/0
> > > 0.0.0.0/0 state RELATED,ESTABLISHED
> > > 0 0 LOG all -- eth0+ * 0.0.0.0/0
>
> The LOG at the end will never match because one of these two rules will
> have matched (usually the second one) - this is true at least for the
> packets logged in your dmsg output below.
>
> Once the packet has been accepted, no other rules will not be processed,
> including your last LOG rule.
>
So how do I find ought what is happining?
> > > get my "iptables -t nat -A PREROUTING -i $IFACE+ -p tcp --dport
> 8436\
> > > -j DNAT --to-destination 10.0.0.20:8436" rule
> working.
> >
> > > Here is some dmsg output.
> > >
> > > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=202.180.123.192 LEN=48 TOS=0x00
> > > PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=8436 DPT=4164 WINDOW=5840
> > > RES=0x00
> > > ACK SYN URGP=0
> > > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> > > PREC=0x00 TTL=63 ID=31805 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0
> > > RES=0x00
> > > ACK RST URGP=0
> > > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00
> > > PREC=0x00 TTL=63 ID=31806 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0
> > > RES=0x00
> > > ACK RST URGP=0
>
> I'd use
>
> iptables -A FORWARD -d 10.0.0.20 -i eth2+ -o eth0+ -m tcp --dport 8436
> -m state --state NEW -j ACCEPT
>
> Add it to the end of your existing FORWARD chain. The return packets
> will be handled
> by your existing rule
>
> iptables -A FORWARD -i eth0+ -m state --state RELATED,ESTABLISHED -j
> ACCEPT
>
This workes and I'm now one step closer to using -P DROP.
>
>
> > >
> > > Is this a connection tracing problem?
>
> Don't think so.
>
I'm not ruling it out.
> > [0:0] -A FORWARD -d 10.0.0.0/255.255.255.0 -o eth2+ -j REJECT
> > --reject-with icmp-net-unreachable
> > [0:0] -A FORWARD -i eth2+ -m state --state INVALID -j DROP
> > [0:0] -A FORWARD -i eth2+ -o eth2+ -j REJECT --reject-with
> > icmp-net-unreachable
> > [5123:269439] -A FORWARD -i eth0+ -m state --state NEW -j ACCEPT
> > [368470:24215217] -A FORWARD -i eth0+ -m state --state
> > RELATED,ESTABLISHED
> > -j ACCEPT
> > [0:0] -A FORWARD -i eth0+ -m state --state INVALID -j LOG
> > [539265:756129396] -A FORWARD -i eth2+ -m state --state
> > RELATED,ESTABLISHED -j ACCEPT
> > COMMIT
>
> Much easier to read :)
>
Your welcome.
>
> Hope the above helps.
>
Thank you vary much!
> Cheers,
> John
>
>
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
Reply to: