Re: Packets that should have been DNATted appearing in INPUT table

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Packets that should have been DNATted appearing in INPUT table
Date: Tue, 11 Jan 2005 11:29:14 -0500	[thread overview]
Message-ID: <20050111162914.GA14045@bender.817west.com> (raw)
In-Reply-To: <002801c4f7ee$ccf74210$4206a8c0@loki>

On Tue, Jan 11, 2005 at 04:03:11PM +0100, Marius Mertens wrote:
> Hi again,
> 
> I just subscribed to this list in order to save the moderator some work and 
> minimize the delays in our discussion ;-)
> So no need to cc anymore.

we greatly appreciate that.

> On Tuesday, January 11, 2005 1:27 AM,
> R. DuFresne wrote:
> 
> >[...]
> >validate your conclusions, adding a LOG rule prior to the drop might
> >help track down 'why' you are seeing that 'counter' increment.
> 
> Below are the packets logged by
> iptables -A INPUT -i ppp0 -p tcp --dport 4664 -j LOG --log-level 
> 6 --log-prefix "SUSPICIOUS: "
> after running some minutes.

you could easily be creating this situation yourself with your "testing"
methodology.  if you are:

1) starting firewall
2) allowing connections to establish
3) stopping firewall, which includes removing ip_conntrack
4) starting firewall

all the packets that were part of the established connections in step 2
will no longer have a conntrack entry that ties them to the DNAT, and
they will end up in INPUT and get dropped.

i'm not saying this is what you are doing--but it's an explanation for
what you're seeing--the DNAT functionality in netfilter works properly
in my experience.

-j

--
"To alcohol: the cause of, and solution to, all of life's problems."
        --The Simpsons

next prev parent reply	other threads:[~2005-01-11 16:29 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-05 18:00 Packets that should have been DNATted appearing in INPUT table Marius Mertens
2005-01-06 15:55 ` Jason Opperisano
2005-01-06 16:49   ` Marius Mertens
2005-01-07 20:08     ` Michael Gale
2005-01-08  0:43       ` Marius Mertens
2005-01-11  0:27         ` R. DuFresne
2005-01-11 15:03           ` Marius Mertens
2005-01-11 16:29             ` Jason Opperisano [this message]
2005-01-11 18:15               ` Marius Mertens
2005-01-11 18:16               ` R. DuFresne
2005-01-11 18:33                 ` Marius Mertens

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050111162914.GA14045@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.