* -m state question
@ 2005-04-12 15:35 Jason Sigurdur
2005-04-13 14:54 ` Taylor, Grant
0 siblings, 1 reply; 2+ messages in thread
From: Jason Sigurdur @ 2005-04-12 15:35 UTC (permalink / raw)
To: 'netfilter@lists.netfilter.org'
Hi with the below rules I keep seeing (intermittently) packets that are
dropped in the 'FORWARD_' chain such as
FORWARD_DROPPED: IN=eth1 OUT=eth0 SRC=172.16.x.x DST=209.204.233.88 LEN=40
TOS=0x00 PREC=0x00 TTL=127 ID=53086 DF PROTO=TCP SPT=1595 DPT=80 WINDOW=0
RES=0x00 RST URGP=0
That are going in this direction:
Eth0[ext]---Eth1[internal] <---
Should'nt the 3rd FORWARD_ rule allow any new forwarding entries in from
any where except eth0?
############################################################################
####################
Iptables -N FORWARD_
iptables -A FORWARD_ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD_ -i ! eth0 -m state --state NEW -j ACCEPT
iptables -A FORWARD_ -j LOG --log-level info --log-prefix "FORWARD_DROPPED:
"
iptables -A FORWARD_ -j DROP
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.x.x/22 -j SNAT --to-source
x.x.x.x [eth0 ip]
iptables -A INPUT -j IN
iptables -A FORWARD -j FORWARD_
############################################################################
########################
Thank you,
Jason Sigurdur
Technical Services
Aspen View Regional Division #19
This email may contain confidential and/or privileged information for the
sole use of the intended recipient. Any review, copy or distribution is
strictly prohibited. If you have received this email in error, please
contact the sender and delete all copies.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: -m state question
2005-04-12 15:35 -m state question Jason Sigurdur
@ 2005-04-13 14:54 ` Taylor, Grant
0 siblings, 0 replies; 2+ messages in thread
From: Taylor, Grant @ 2005-04-13 14:54 UTC (permalink / raw)
To: Jason Sigurdur; +Cc: 'netfilter@lists.netfilter.org'
> Hi with the below rules I keep seeing (intermittently) packets that are
> dropped in the 'FORWARD_' chain such as
>
> FORWARD_DROPPED: IN=eth1 OUT=eth0 SRC=172.16.x.x DST=209.204.233.88 LEN=40
> TOS=0x00 PREC=0x00 TTL=127 ID=53086 DF PROTO=TCP SPT=1595 DPT=80 WINDOW=0
> RES=0x00 RST URGP=0
If I am reading this output correctly this looks like it is a reset packet. It would depend on if this packet is in response to errant packets inbound to one of your systems or if you have a system that is erroneously sending this. If the later is the case this packet is not considered ESTABLISHED or RELATED and as it is not trying to synchronize a new connection it is not considered NEW either. I would need to see more traffic dumps from shortly before and after (5 - 10 min) this packet to see if it is associated with any other on going connection. I'm not seeing any indication that the ACK flag was set in this packet thus indicating to me that this packet is in response to another packet that came in bound to it, but I'm not sure that the LOG target would show the ACK flag or not, though I would expect it to. Can you get a TCPDump / Etherial output of this traffic and post it to t
he list? (Scrub IPs if you need to. Make a.b.c.d be your client systems and w.x.y.z be
the destination system on the INet)
> Should'nt the 3rd FORWARD_ rule allow any new forwarding entries in from
> any where except eth0?
No, not if the connection is erroneous.
Grant. . . .
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-04-13 14:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-12 15:35 -m state question Jason Sigurdur
2005-04-13 14:54 ` Taylor, Grant
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.