All of lore.kernel.org
 help / color / mirror / Atom feed
* Packets passing trough...
@ 2002-11-13 19:33 strenuus
  2002-11-14  6:22 ` Jet
  2002-11-15  1:00 ` Joel Newkirk
  0 siblings, 2 replies; 3+ messages in thread
From: strenuus @ 2002-11-13 19:33 UTC (permalink / raw)
  To: netfilter

Output from iptables -L -nvx

---
Chain FORWARD (policy ACCEPT 161696 packets, 47270419 bytes)
     pkts      bytes target     prot opt in     out     source               destination
    61547  6434012             all  --  *       eth1    192.168.0.0/24       !192.168.1.0/24
    59305 36440468             all  --  eth1    *       !192.168.1.0/24       192.168.0.0/24
    20358  1239485             all  --  *       eth1    192.168.1.0/24       !192.168.0.0/24
    20322  3148918             all  --  eth1    *      !192.168.0.0/24        192.168.1.0/24
     3241   561174             all  --  *       *       194.106.188.0/28      192.168.0.0/24
       42     5260             all  --  *       *       194.106.188.0/28      192.168.1.0/24
---

How is this possible, wouldn't all packets match first 4 rules and never get to 6 and 7?
Interface eth1 goes to internet (snat is on) and eth0 and eth2 are LAN (192.168.0.0 and 192.168.1.0)





^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Packets passing trough...
  2002-11-13 19:33 Packets passing trough strenuus
@ 2002-11-14  6:22 ` Jet
  2002-11-15  1:00 ` Joel Newkirk
  1 sibling, 0 replies; 3+ messages in thread
From: Jet @ 2002-11-14  6:22 UTC (permalink / raw)
  To: strenuus, netfilter

Hi strenuus,

It is possible. what if the packets are:
Packet=1     interface=eth0                src=194.106.188.1
dst=192.168.0.1
Packet=2    interface=eth0                src=194.106.188.1
dst=192.168.1.1

Packet 1 go into rule 6 and packet 2 go into rule 7.

By the way, have you done this?

for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
  echo 1 > ${interface}
done

Maybe you want to try this first first and reset the counter. And see if it
still happening.

Good luck.

.//Jet

> Output from iptables -L -nvx
>
> ---
> Chain FORWARD (policy ACCEPT 161696 packets, 47270419 bytes)
>      pkts      bytes target     prot opt in     out     source
destination
>     61547  6434012             all  --  *       eth1    192.168.0.0/24
!192.168.1.0/24
>     59305 36440468             all  --  eth1    *       !192.168.1.0/24
192.168.0.0/24
>     20358  1239485             all  --  *       eth1    192.168.1.0/24
!192.168.0.0/24
>     20322  3148918             all  --  eth1    *      !192.168.0.0/24
192.168.1.0/24
>      3241   561174             all  --  *       *       194.106.188.0/28
192.168.0.0/24
>        42     5260             all  --  *       *       194.106.188.0/28
192.168.1.0/24
> ---
>
> How is this possible, wouldn't all packets match first 4 rules and never
get to 6 and 7?
> Interface eth1 goes to internet (snat is on) and eth0 and eth2 are LAN
(192.168.0.0 and 192.168.1.0)
>
>



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Packets passing trough...
  2002-11-13 19:33 Packets passing trough strenuus
  2002-11-14  6:22 ` Jet
@ 2002-11-15  1:00 ` Joel Newkirk
  1 sibling, 0 replies; 3+ messages in thread
From: Joel Newkirk @ 2002-11-15  1:00 UTC (permalink / raw)
  To: strenuus, netfilter

On Wednesday 13 November 2002 02:33 pm, strenuus wrote:
> Output from iptables -L -nvx
>
> ---
> Chain FORWARD (policy ACCEPT 161696 packets, 47270419 bytes)
>      pkts      bytes target     prot opt in     out     source             
>  destination 61547  6434012             all  --  *       eth1   
> 192.168.0.0/24       !192.168.1.0/24 59305 36440468             all  -- 
> eth1    *       !192.168.1.0/24       192.168.0.0/24 20358  1239485        
>     all  --  *       eth1    192.168.1.0/24       !192.168.0.0/24 20322 
> 3148918             all  --  eth1    *      !192.168.0.0/24       
> 192.168.1.0/24 3241   561174             all  --  *       *      
> 194.106.188.0/28      192.168.0.0/24 42     5260             all  --  *    
>   *       194.106.188.0/28      192.168.1.0/24 ---
>
> How is this possible, wouldn't all packets match first 4 rules and never
> get to 6 and 7? Interface eth1 goes to internet (snat is on) and eth0 and
> eth2 are LAN (192.168.0.0 and 192.168.1.0)

What's to stop them?  You don't have any targets, so the rules are just 
counters.  Your FORWARD policy is ACCEPT, so they get through anyway, and at 
a quick glance it looks like you have nearly the same number of packets that 
hit policy as your rules counted, all together.

j


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-11-15  1:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-13 19:33 Packets passing trough strenuus
2002-11-14  6:22 ` Jet
2002-11-15  1:00 ` Joel Newkirk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.