iptables help?

To: debian-user@lists.debian.org
Subject: iptables help?
From: Brian May <bam@debian.org>
Date: 06 Apr 2001 17:18:24 +1000
Message-id: <[🔎] 84lmpelcn3.fsf@snoopy.apana.org.au>

Hello,

I thought that these iptables rules:

snoopy:~# iptables -v -L ppp0-out
Chain ppp0-out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  any    any     192.168.0.0/16       anywhere           LOG level warning 
    0     0 REJECT     all  --  any    any     192.168.0.0/16       anywhere           reject-with icmp-port-unreachable 
    9   868 ACCEPT     all  --  any    any     anywhere             anywhere           
and:

Chain OUTPUT (policy DROP 1 packets, 40 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   26  1994 ppp0-out   all  --  any    ppp0    anywhere             anywhere           

would prevent packets with the source address 192.168.*.* from
appearing on ppp0, however it doesn't. In fact, even if I run ping to
an outside host from a 192.168.*.* computer (eth0), none of the
counters for INPUT, FORWARD, or OUTPUT are incremented (if I turn on
masquerading everything works as expected though).

So, how can the packet get received by eth0, be forwarded to ppp0, and
transmitted out ppp0 without any of the chain counters recording it?
I know the packet is appearing on ppp0 by looking at tcpdump, ifconfig
and the transmit light on the modem.

I am confused...

I can only guess that some sort of optimisation is occurring, but
seems strange it only occurs without masquerading or SNAT.

Am I doing something obvious wrong?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: iptables help?
  - From: Brian May <bam@debian.org>

Prev by Date: Re: your mail
Next by Date: Re: your mail
Previous by thread: Re: Netscape
Next by thread: Re: iptables help?
Index(es):
- Date
- Thread