OUTPUT ACCEPT, but can't see out

All of lore.kernel.org
 help / color / mirror / Atom feed

* OUTPUT ACCEPT, but can't see out
@ 2004-03-04  1:11 Kevin Mulcahy
  2004-03-04  1:23 ` Unknown, Alistair Tonner
       [not found] ` <200403032023.35644.Alistair Tonner <>
  0 siblings, 2 replies; 5+ messages in thread
From: Kevin Mulcahy @ 2004-03-04  1:11 UTC (permalink / raw)
  To: netfilter

Hi All
I have a very simple set of rules, with default policy for INPUT being 
DROP and  default OUTPUT being ACCEPT.
However, I can't hit anything on the outside.  I can't ping, ssh - nothing.
When I flush everything I can see outside no problem.
My script is:

IPTABLES="/sbin/iptables"
INTERFACE="eth0"
SERVER="x.x.x.x"
SSHA1="y.y.y.y"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -i $INTERFACE -p tcp -s $SSHA1 -d $SERVER --dport 22 
-j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE -p tcp -s $ALLIP -d $ALLIP --dport 80 
-j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE -p tcp -s $ALLIP -d $ALLIP --dport 443 
-j ACCEPT
$IPTABLES -A INPUT -i $INTERFACE -p ALL -m state --state 
ESTABLISHED,RELATED -j ACCEPT
#Note - this appears to generate an error
# iptables: No chain/target/match by that name
# but would that affect OUTPUT ???
$IPTABLES -A INPUT -i $INTERFACE -p ALL -j RETURN

$IPTABLES -A OUTPUT -o $INTERFACE -p ALL  -j ACCEPT


Cheers
Kev.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: OUTPUT ACCEPT, but can't see out
  2004-03-04  1:11 OUTPUT ACCEPT, but can't see out Kevin Mulcahy
@ 2004-03-04  1:23 ` Unknown, Alistair Tonner
       [not found] ` <200403032023.35644.Alistair Tonner <>
  1 sibling, 0 replies; 5+ messages in thread
From: Unknown, Alistair Tonner @ 2004-03-04  1:23 UTC (permalink / raw)
  To: netfilter

On March 3, 2004 08:11 pm, Kevin Mulcahy wrote:
> Hi All
> I have a very simple set of rules, with default policy for INPUT being
> DROP and  default OUTPUT being ACCEPT.
> However, I can't hit anything on the outside.  I can't ping, ssh - nothing.
> When I flush everything I can see outside no problem.
> My script is:
>
> IPTABLES="/sbin/iptables"
> INTERFACE="eth0"
> SERVER="x.x.x.x"
> SSHA1="y.y.y.y"
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -A INPUT -i $INTERFACE -p tcp -s $SSHA1 -d $SERVER --dport 22
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTERFACE -p tcp -s $ALLIP -d $ALLIP --dport 80
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTERFACE -p tcp -s $ALLIP -d $ALLIP --dport 443
> -j ACCEPT
> $IPTABLES -A INPUT -i $INTERFACE -p ALL -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> #Note - this appears to generate an error
> # iptables: No chain/target/match by that name
> # but would that affect OUTPUT ???
> $IPTABLES -A INPUT -i $INTERFACE -p ALL -j RETURN
>
> $IPTABLES -A OUTPUT -o $INTERFACE -p ALL  -j ACCEPT



	Remove the -p ALL from your established related line.
	dont put one it ...covers all.
	
	in answer to the question you commented in there, YES it will ..your policy on 
	input is DROP -- thus you are getting out, but nothing is getting BACK to you.


	Alistair.
>
>
> Cheers
> Kev.


^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <200403032023.35644.Alistair Tonner <>]

* Re: OUTPUT ACCEPT, but can't see out
       [not found] ` <200403032023.35644.Alistair Tonner <>
@ 2004-03-04  2:06   ` Kevin Mulcahy
  2004-03-04 13:03     ` Unknown, Alistair Tonner
       [not found]     ` <200403040803.56158.Alistair Tonner <>
  0 siblings, 2 replies; 5+ messages in thread
From: Kevin Mulcahy @ 2004-03-04  2:06 UTC (permalink / raw)
  To: netfilter


>>$IPTABLES -A INPUT -i $INTERFACE -p ALL -m state --state
>>ESTABLISHED,RELATED -j ACCEPT
>>#Note - this appears to generate an error
>># iptables: No chain/target/match by that name
>># but would that affect OUTPUT ???
>>$IPTABLES -A INPUT -i $INTERFACE -p ALL -j RETURN
>>
>>$IPTABLES -A OUTPUT -o $INTERFACE -p ALL  -j ACCEPT
> 
> 
> 
> 
> 	Remove the -p ALL from your established related line.
> 	dont put one it ...covers all.

Done. But I still get the error.
I've read that loading in the appropriate module will solve this, but 
unfortunately my hosting company has built their own monolithic kernels 
which don't support loadable modules.
Is there any way around this?

> 	
> 	in answer to the question you commented in there, YES it will ..your policy on 
> 	input is DROP -- thus you are getting out, but nothing is getting BACK to you.
makes perfect sense.

Kev.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: OUTPUT ACCEPT, but can't see out
  2004-03-04  2:06   ` Kevin Mulcahy
@ 2004-03-04 13:03     ` Unknown, Alistair Tonner
       [not found]     ` <200403040803.56158.Alistair Tonner <>
  1 sibling, 0 replies; 5+ messages in thread
From: Unknown, Alistair Tonner @ 2004-03-04 13:03 UTC (permalink / raw)
  To: Kevin Mulcahy, netfilter

On March 3, 2004 09:06 pm, Kevin Mulcahy wrote:
> >>$IPTABLES -A INPUT -i $INTERFACE -p ALL -m state --state
> >>ESTABLISHED,RELATED -j ACCEPT
> >>#Note - this appears to generate an error
> >># iptables: No chain/target/match by that name
> >># but would that affect OUTPUT ???
> >>$IPTABLES -A INPUT -i $INTERFACE -p ALL -j RETURN
> >>
> >>$IPTABLES -A OUTPUT -o $INTERFACE -p ALL  -j ACCEPT
> >
> > 	Remove the -p ALL from your established related line.
> > 	dont put one it ...covers all.
>
> Done. But I still get the error.
> I've read that loading in the appropriate module will solve this, but
> unfortunately my hosting company has built their own monolithic kernels
> which don't support loadable modules.
> Is there any way around this?
>

	Uck.  
	state matching is the heart and soul of connection tracking.
	it strikes me as weird that it isn't included.  ipt_state 	
	and ip_conntrack are the symbol names that should be 
	found in the kernel (grep System.map and /proc/kysms or /proc/kallsyms)
	if not found you are going to have to explicitly allow connections by port
	which just plain .... is awful.

	One other thing that can cause this issue is if the kernel version that the
	userspace application was built against does not match the running kernel.
	the resolution is to rebuilt the userspace application against the current kernel.

	What kernel version and iptables version are you working with?	
	


> > 	in answer to the question you commented in there, YES it will ..your
> > policy on input is DROP -- thus you are getting out, but nothing is
> > getting BACK to you.
>
> makes perfect sense.
>
> Kev.


^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <200403040803.56158.Alistair Tonner <>]

* Re: OUTPUT ACCEPT, but can't see out
       [not found]     ` <200403040803.56158.Alistair Tonner <>
@ 2004-03-04 23:02       ` Kevin Mulcahy
  0 siblings, 0 replies; 5+ messages in thread
From: Kevin Mulcahy @ 2004-03-04 23:02 UTC (permalink / raw)
  Cc: netfilter


On 05/03/2004, at 12:03 AM, Alistair Tonner wrote:

> On March 3, 2004 09:06 pm, Kevin Mulcahy wrote:
>>>> $IPTABLES -A INPUT -i $INTERFACE -p ALL -m state --state
>>>> ESTABLISHED,RELATED -j ACCEPT
>>>> #Note - this appears to generate an error
>>>> # iptables: No chain/target/match by that name
>>>> # but would that affect OUTPUT ???
>>>> $IPTABLES -A INPUT -i $INTERFACE -p ALL -j RETURN
>>>>
>>>> $IPTABLES -A OUTPUT -o $INTERFACE -p ALL  -j ACCEPT
>>>
>>> 	Remove the -p ALL from your established related line.
>>> 	dont put one it ...covers all.
>>
>> Done. But I still get the error.
>> I've read that loading in the appropriate module will solve this, but
>> unfortunately my hosting company has built their own monolithic 
>> kernels
>> which don't support loadable modules.
>> Is there any way around this?
>>
>
> 	Uck.
> 	state matching is the heart and soul of connection tracking.
> 	it strikes me as weird that it isn't included.  ipt_state 	
> 	and ip_conntrack are the symbol names that should be
> 	found in the kernel (grep System.map and /proc/kysms or 
> /proc/kallsyms)
> 	if not found you are going to have to explicitly allow connections by 
> port
> 	which just plain .... is awful.

grep on ipt_state and ip_conntrack turned up nothing in System.map.
neither /proc/kysms nor /proc/kallsyms exist!
>
> 	One other thing that can cause this issue is if the kernel version 
> that the
> 	userspace application was built against does not match the running 
> kernel.
> 	the resolution is to rebuilt the userspace application against the 
> current kernel.
>
> 	What kernel version and iptables version are you working with?

iptables v1.2.5
kernel 2.4.24 #1 SMP

Kev.

> 	



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2004-03-04 23:02 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-04  1:11 OUTPUT ACCEPT, but can't see out Kevin Mulcahy
2004-03-04  1:23 ` Unknown, Alistair Tonner
     [not found] ` <200403032023.35644.Alistair Tonner <>
2004-03-04  2:06   ` Kevin Mulcahy
2004-03-04 13:03     ` Unknown, Alistair Tonner
     [not found]     ` <200403040803.56158.Alistair Tonner <>
2004-03-04 23:02       ` Kevin Mulcahy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.