[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


also sprach Blair Strang <bls@nanocorp.net.nz> [2005.03.15.1245 +0100]:
> I am guessing the problem is elsewhere.  What does
> /proc/net/ip_conntrack say the kernel is expecting?

The UDP "connection" is not listed. Someone else told me in private
mail that DNS is special, but I do not see anything special about
the following:

16:27:15.369276 >  21533+ A? debian.org. (28) (DF)
16:27:15.424481 >  21533 1/0/0 A (44)

The corresponding ip_contrack entry:

udp      17 27 src= dst= sport=62406
  dport=53 packets=1 bytes=67 src= dst=
  sport=53 dport=62406 packets=1 bytes=115 mark=0 use=1

This looks all good and fine. Whenever I get log entries generated
by iptables, it seems that they are some sort of spurious responses
by the servers, or else iptables would let them through.

Of course right now there aren't any. However, I have seen this for
years and always wondered...

Maybe someone has a smart way to diagnose this? For now, I'll use

-A INPUT -i ppp0 -p udp -m udp --sport 53 -j ULOG --ulog-prefix "[DNS in] "
-A OUTPUT -o ppp0 -p udp -m udp --dport 53 -j ULOG --ulog-prefix "[DNS out] "
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --sport 53 -j ULOG --ulog-prefix "[spurious DNS] "

Let's see what that brings...

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: