From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: LAN pass, but not loopback
Date: Sat, 21 May 2005 18:24:40 -0500 [thread overview]
Message-ID: <428FC338.4090402@riverviewtech.net> (raw)
In-Reply-To: <200505210026.47727.98111@free.fr>
> The problem is it doesn't : it contain, among other things
> #Loopback interface
> iptables -A INPUT -o lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> From the inside, wget http://my_server works as it should, from outside also,
> but not from the computer himself !
> For the same reason (i think) Samba cannot connect to CUPS... and I've many
> other problems.
> I've tried as I could to understand this problem but failed. On the other
> hand, each time I suspected a bug in a complex software (iptables here), I
> was wrong.
> So, if one would have time to tell me were... mummy would be very happy as she
> could print again -_^.
What interface / IP do you have Apache, Samba, and CUPS listening on? I am willing to bet that they are not listening on lo (127.0.0.1). The reason that I ask is that I'm betting that your services are trying to talk to each other on your internal LAN interface (eth1). You might also want to try setting a filter:FORWARD policy of ACCEPT for testing to see if things start working again.
> By the way, what do you think of the way I tried to reduce the overload due to
> TARPIT ? Would it work ?
I like the way that you are using a subchain to do your possible TARPITing and jumping to that chain from all your other chains that you want to TARPIT the traffic from. However I think you might want to emulate this functionality in the raw table so that you can send the traffic that you would want to send to the TARPIT target to the NOTRACK state to prevent the connection tracking subsystem form consuming resources tracking said traffic. The basic idea behind this is laid out below:
iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t filter -A INPUT -p tcp --dport 80 -j TARPIT
iptables -t filter -A FORWARD -p tcp --dport 80 -j TARPIT
This will cause any web traffic (Code Red, etc.) that would be destined to your firewall to be sent to the TARPIT target with out consuming any connection tracking resources as they are told to not be tracked via the NOTRACK target in the raw:PREROUTING table and chain.
Grant. . . .
prev parent reply other threads:[~2005-05-21 23:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-20 22:26 LAN pass, but not loopback un_brice
2005-05-21 23:24 ` Taylor, Grant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=428FC338.4090402@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.