From: Pete Toscano <pete-netfilter@verisignlabs.com>
To: Support Team <support@precisenetworksinc.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables not responding to packets destined for subinterface
Date: Mon, 25 Oct 2004 09:26:14 -0400 [thread overview]
Message-ID: <417CFEF6.7090101@verisignlabs.com> (raw)
In-Reply-To: <002201c4ba44$e1ff8ba0$6601a8c0@CHELA>
Support Team wrote:
> My public interface has serveral IP address aliases. Only the primary IP
> address responds to traffic (ip, imcp, et al). I inserted a log statement
> at the top of each table and found that the packets destined for the virtual
> addresses never made it to any table. However, according to tcpdump, I
> confirmed that the packets did get picked up by the kernel on the secondary
> address. I guess they are just not passed to iptables. Obviously, the
> packet was never replied to (icmp) or acknowledged (ip) by the process.
>
> How can I get iptables to respond to the packets on the secondary
> interfaces? Or, how can I get the kernel to pass the packets to iptables?
>
> I understand that when the packet hits the chain, all I have to do is create
> a rule with the primary interface and use the IP address to distinguish the
> packets of different virtual addresses.
Patrick,
I don't have time to read the volume of details of your message, but the
summary sounds a lot like a problem I was having. Maybe this will help you.
I was upgrading a bunch of boxes. I'd take a spare box, configure it,
then swap it in in place of the old box. I was seeing some real
strangeness. In tcpdump, I could see the packets, but they weren't
hitting the iptables chains (verified with LOG statements at the top of
every chain in every table).
It turns out to have been an ARP cache issue. The router I was attached
to still had the MAC address of the old machine's Ethernet interface in
its cache. I could see the packets in tcpdump because it was putting
the interface in promiscuous mode and filtering on the "problem" IP
address assigned to one of my subinterfaces. It wasn't until I finally
looked at the dest MAC address in the packets I was seeing in tcpdump
(but not in iptables) and compared it to my actual MAC address that I
figured out this problem. A simple ARP cache flush on the router
cleared up the problem. (Or, if you're patient, just waiting for the
relevant entries to timeout would work too.)
Hopefully, this helps you with your problem (or maybe it'll help others).
pete
next prev parent reply other threads:[~2004-10-25 13:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-25 3:44 iptables not responding to packets destined for subinterface Support Team
2004-10-25 13:26 ` Pete Toscano [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-10-31 5:23 Gary Smith
2004-10-31 5:12 Support Team
2004-11-01 13:03 ` Pete Toscano
2004-10-25 3:27 Support Team
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417CFEF6.7090101@verisignlabs.com \
--to=pete-netfilter@verisignlabs.com \
--cc=netfilter@lists.netfilter.org \
--cc=support@precisenetworksinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.