From: Andrew Beverley <andy@andybev.com>
To: Tony Rogers <tony.rogers@erudine.com>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables - external IP address on internal interface?
Date: Wed, 20 Apr 2011 20:41:34 +0100 [thread overview]
Message-ID: <1303328494.4938.289.camel@andybev-desktop> (raw)
In-Reply-To: <1303301989.14640.3.camel@HP-019.Erudine.local>
On Wed, 2011-04-20 at 13:19 +0100, Tony Rogers wrote:
> If I'm interpreting this correctly:
>
> 212.118.226.91 is trying to connect to 192.168.0.168 ?
>
Not really "trying to connect", it's just a packet of data, so it could
be the reply to a connection already initiated.
> Or is this some kind of reverse logic, and 192.168.0.168 is actually
> connecting to 212.118.226.91 on port 80? If so, why would the log
> entry be reversed?
I suspect that it is the *reply* packets. So your local client (.168)
opens a connection to port 80 on the remote server (.91) and then the
remote server sends a reply back which are the packets that you are
seeing below.
> However, there is no rule that permits inbound connections of this nature.
>
Well if you don't allow *any* packets in, then you will only have a one
way connection, which is pretty useless...
Are you sure you don't have a rule to allow ESTABLISHED connections back
in?
> And (more worryingly) the connection appears to be sourced from eth0 (internal interface).
>
I'd expect them to go OUT on the internal interface. Which chain are you
logging the packets in? If it's POSTROUTING, then I'd expect IN to be
blank - not sure why it is also eth0 - maybe your version of iptables.
>
> Apr 20 11:21:52 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=115 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> Apr 20 11:21:59 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=116 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> Apr 20 11:22:04 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=117 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> Apr 20 11:22:23 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=118 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
>
> Does this make sense to any of you gurus out there?
>
Well I'm not a guru... but yes it does make sense, except for both the
IN and OUT being the same.
Try logging in the PREROUTING and FORWARD chains as well, and you should
see the interfaces change.
Andy
prev parent reply other threads:[~2011-04-20 19:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-11 14:04 iptables - external IP address on internal interface? Tony Rogers
2011-04-11 14:42 ` Usuário do Sistema
2011-04-11 14:53 ` Jan Engelhardt
2011-04-11 17:52 ` Andrew Beverley
2011-04-12 9:20 ` Tony Rogers
2011-04-12 19:26 ` Andrew Beverley
2011-04-12 20:31 ` Robert Nichols
[not found] ` <1302626146.4938.1.camel@andybev-desktop>
[not found] ` <054F5B1BB94BD943B243C3B39B4F568D0161B8F7@victory.Erudine.local>
[not found] ` <1302636161.4938.5.camel@andybev-desktop>
2011-04-12 21:37 ` Tony Rogers
2011-04-14 20:24 ` Andrew Beverley
2011-04-15 13:21 ` Tony Rogers
2011-04-15 15:29 ` Andrew Beverley
2011-04-20 12:19 ` Tony Rogers
2011-04-20 19:41 ` Andrew Beverley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1303328494.4938.289.camel@andybev-desktop \
--to=andy@andybev.com \
--cc=netfilter@vger.kernel.org \
--cc=tony.rogers@erudine.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.