what is blocking packets before netfilter?

what is blocking packets before netfilter?

[Horacio J. Peña]

I have:

# iptables -L -n -t mangle -v
Chain INPUT (policy ACCEPT 19862 packets, 1603K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4

# iptables -L -n -t filter -v
Chain INPUT (policy ACCEPT 17061 packets, 1410K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4

# tcpdump -nvvvpe icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:44:34.189337 00:08:a1:6c:39:00 > 00:0a:e6:2d:90:77, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl64, id 1016, offset 0, flags [DF], length: 84) 192.168.2.1 > 10.5.0.1: icmp 64: echo request seq 63491

00:0a:e6:2d:90:77 is my MAC.

/proc/sys/net/ipv4/conf/*/rp_filter are 0.
/proc/sys/net/ipv4/conf/*/forwarding are 1.

What could be eating the packets? Shouldn't iptables see anything that comes to the interface?

Thanks,
					HoraPe
---
Horacio J. Peña
horape@compendium.com.ar
horape@uninet.edu

what is blocking packets before netfilter?

[Horacio J. Peña]

I have:

# iptables -L -n -t mangle -v
Chain INPUT (policy ACCEPT 19862 packets, 1603K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4

# iptables -L -n -t filter -v
Chain INPUT (policy ACCEPT 17061 packets, 1410K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4

# tcpdump -nvvvpe icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:44:34.189337 00:08:a1:6c:39:00 > 00:0a:e6:2d:90:77, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl64, id 1016, offset 0, flags [DF], length: 84) 192.168.2.1 > 10.5.0.1: icmp 64: echo request seq 63491

00:0a:e6:2d:90:77 is my MAC.

/proc/sys/net/ipv4/conf/*/rp_filter are 0.
/proc/sys/net/ipv4/conf/*/forwarding are 1.

What could be eating the packets? Shouldn't iptables see anything that comes to the interface?

Thanks,
					HoraPe
---
Horacio J. Peña
horape@compendium.com.ar
horape@uninet.edu

Re: what is blocking packets before netfilter?

[R. DuFresne]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2459 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Is tcpd enabled, does your system have a /etc/hosts.deny file, or  a 
hosts.allow that is populated?  Is there a DSL router, or other 
router/intelligent hub with an integrated firewall in it infront of or 
behind the iptables firewall?  Could your ISP be blocking ICMP traffic?


Thanks,

Ron DuFresne

On Sun, 6 Mar 2005, Horacio [iso-8859-1] J. Peña wrote:

> I have:
>
> # iptables -L -n -t mangle -v
> Chain INPUT (policy ACCEPT 19862 packets, 1603K bytes)
> pkts bytes target     prot opt in     out     source               destination
>    0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4
>
> # iptables -L -n -t filter -v
> Chain INPUT (policy ACCEPT 17061 packets, 1410K bytes)
> pkts bytes target     prot opt in     out     source               destination
>    0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4
>
> # tcpdump -nvvvpe icmp
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:44:34.189337 00:08:a1:6c:39:00 > 00:0a:e6:2d:90:77, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl64, id 1016, offset 0, flags [DF], length: 84) 192.168.2.1 > 10.5.0.1: icmp 64: echo request seq 63491
>
> 00:0a:e6:2d:90:77 is my MAC.
>
> /proc/sys/net/ipv4/conf/*/rp_filter are 0.
> /proc/sys/net/ipv4/conf/*/forwarding are 1.
>
> What could be eating the packets? Shouldn't iptables see anything that comes to the interface?
>
> Thanks,
> 					HoraPe
> ---
> Horacio J. Peña
> horape@compendium.com.ar
> horape@uninet.edu
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCKn99st+vzJSwZikRAohTAKC1rYIlSjBXqJwywaJIovA/+ahYpACfYtlv
JA1L3qlbYZ6WmmEMwFIAxYw=
=PK99
-----END PGP SIGNATURE-----

Re: what is blocking packets before netfilter?

[Horacio J. Peña]

> Is tcpd enabled, does your system have a /etc/hosts.deny file, or  a 
> hosts.allow that is populated?

No, and afaiu, they shouldn't matter at netfilter level.

> Is there a DSL router, or other 
> router/intelligent hub with an integrated firewall in it infront of or 
> behind the iptables firewall?  Could your ISP be blocking ICMP traffic?

The packets are getting to the box. tcpdump sees them, iptables don't.

Thanks,
HoraPe


> Ron DuFresne
> 
> On Sun, 6 Mar 2005, Horacio [iso-8859-1] J. Peña wrote:
> 
> >I have:
> >
> ># iptables -L -n -t mangle -v
> >Chain INPUT (policy ACCEPT 19862 packets, 1603K bytes)
> >pkts bytes target     prot opt in     out     source               
> >destination
> >   0     0 LOG        all  --  eth0   *       192.168.2.0/24       
> >   0.0.0.0/0           LOG flags 0 level 4
> >
> ># iptables -L -n -t filter -v
> >Chain INPUT (policy ACCEPT 17061 packets, 1410K bytes)
> >pkts bytes target     prot opt in     out     source               
> >destination
> >   0     0 LOG        all  --  eth0   *       192.168.2.0/24       
> >   0.0.0.0/0           LOG flags 0 level 4
> >
> ># tcpdump -nvvvpe icmp
> >tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 
> >bytes
> >15:44:34.189337 00:08:a1:6c:39:00 > 00:0a:e6:2d:90:77, ethertype IPv4 
> >(0x0800), length 98: IP (tos 0x0, ttl64, id 1016, offset 0, flags [DF], 
> >length: 84) 192.168.2.1 > 10.5.0.1: icmp 64: echo request seq 63491
> >
> >00:0a:e6:2d:90:77 is my MAC.
> >
> >/proc/sys/net/ipv4/conf/*/rp_filter are 0.
> >/proc/sys/net/ipv4/conf/*/forwarding are 1.
> >
> >What could be eating the packets? Shouldn't iptables see anything that 
> >comes to the interface?
> >
> >Thanks,
> >					HoraPe
> >---
> >Horacio J. Peña
> >horape@compendium.com.ar
> >horape@uninet.edu
> >
> >
> 
> - -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> 
> ...Love is the ultimate outlaw.  It just won't adhere to rules.
> The most any of us can do is sign on as it's accomplice.  Instead
> of vowing to honor and obey, maybe we should swear to aid and abet.
> That would mean that security is out of the question.  The words
> "make" and "stay" become inappropriate.  My love for you has no
> strings attached.  I love you for free...
>                         -Tom Robins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCKn99st+vzJSwZikRAohTAKC1rYIlSjBXqJwywaJIovA/+ahYpACfYtlv
> JA1L3qlbYZ6WmmEMwFIAxYw=
> =PK99
> -----END PGP SIGNATURE-----


-- 
					HoraPe
---
Horacio J. Peña
horape@compendium.com.ar
horape@uninet.edu

Re: what is blocking packets before netfilter?

[Phil Oester]

On Sat, Mar 05, 2005 at 03:47:15PM -0300, Horacio J. Peña wrote:
> What could be eating the packets? Shouldn't iptables see anything that comes to the interface?

Impossible to answer without knowing if 10.5.0.1 is a local or remote IP.

Phil

Re: what is blocking packets before netfilter?

[Horacio J. Peña]

> > What could be eating the packets? Shouldn't iptables see anything that comes to the interface?
> Impossible to answer without knowing if 10.5.0.1 is a local or remote IP.

Remote. Reformulating the question, what is there between the packet
hitting the eth driver and it hitting iptables that could block it. My
first thoughts were IP forwarding (if it would be disabled, packets to
non-local addresses should be blocked) and rp_filter (as the box's route
for the src address isn't that way)

What else is there between the eth driver and iptables INPUT ?

Thanks,
					HoraPe
---
Horacio J. Peña
horape@compendium.com.ar
horape@uninet.edu