IPTABLES drops packages for existing rules

[Iulian Topliceanu <iulian.topliceanu@net-m.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have a Fedora Core 3 on a box with plenty of RAM (1 GB) dual P4 and
so on.

The structure is simple: 3 NICs

eth0 - ouside
eth1 - intranet
eth2 - heartbeat

There are plenty of ACCEPT rules, and in the end a general DENY rule,
to drop everything that didn't match the ACCEPT rules (obviously)

There are plenty of NAT rules as well, portforwading and stuff like.

Now, *sometimes* but just *sometimes*, ICMP and TCP packages are
simply matching the general DENY rule and dropped, though there is a
rule that says that LAN hosts can communicate without restrictions
between them (there are 8 subnets)

So, there are moments when IPTABLES is behaving like that ACCEPT rule
woudn't exist, simply denying packets from a LAN host to another LAN host.

If it matters, most of the denyed packets are ICMPs TYPE 0 (round 10
000 packets / 24 h) and TCP packets on various SQL ports (round 35
packets / 24 h)

No, this woudn't be a PITA if the monitoring system would send alarms
in these moments. Everything seems to happen randomly.

What's the problem? I guess it's an IPTABLES issue not some
ip_conntrack trick.

Thanks for the sugestions,
Iulian Topliceanu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDM9dqYBaCkvEor9kRAvvfAKCE/9DETQkpeyleAAAD/2a6lB1KTACfdeyw
SXZzydy/uysrCY86ZQBhjW8=
=8Mvg
-----END PGP SIGNATURE-----