All of lore.kernel.org
 help / color / mirror / Atom feed
* IPTABLES drops packages for existing rules
@ 2005-09-23 10:22 Iulian Topliceanu
  2005-09-23 13:14 ` /dev/rob0
  0 siblings, 1 reply; 2+ messages in thread
From: Iulian Topliceanu @ 2005-09-23 10:22 UTC (permalink / raw)
  To: netfilter

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have a Fedora Core 3 on a box with plenty of RAM (1 GB) dual P4 and
so on.

The structure is simple: 3 NICs

eth0 - ouside
eth1 - intranet
eth2 - heartbeat

There are plenty of ACCEPT rules, and in the end a general DENY rule,
to drop everything that didn't match the ACCEPT rules (obviously)

There are plenty of NAT rules as well, portforwading and stuff like.

Now, *sometimes* but just *sometimes*, ICMP and TCP packages are
simply matching the general DENY rule and dropped, though there is a
rule that says that LAN hosts can communicate without restrictions
between them (there are 8 subnets)

So, there are moments when IPTABLES is behaving like that ACCEPT rule
woudn't exist, simply denying packets from a LAN host to another LAN host.

If it matters, most of the denyed packets are ICMPs TYPE 0 (round 10
000 packets / 24 h) and TCP packets on various SQL ports (round 35
packets / 24 h)

No, this woudn't be a PITA if the monitoring system would send alarms
in these moments. Everything seems to happen randomly.

What's the problem? I guess it's an IPTABLES issue not some
ip_conntrack trick.

Thanks for the sugestions,
Iulian Topliceanu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDM9dqYBaCkvEor9kRAvvfAKCE/9DETQkpeyleAAAD/2a6lB1KTACfdeyw
SXZzydy/uysrCY86ZQBhjW8=
=8Mvg
-----END PGP SIGNATURE-----



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: IPTABLES drops packages for existing rules
  2005-09-23 10:22 IPTABLES drops packages for existing rules Iulian Topliceanu
@ 2005-09-23 13:14 ` /dev/rob0
  0 siblings, 0 replies; 2+ messages in thread
From: /dev/rob0 @ 2005-09-23 13:14 UTC (permalink / raw)
  To: netfilter

On Friday 23 September 2005 05:22, Iulian Topliceanu wrote:
> There are plenty of ACCEPT rules, and in the end a general DENY

"DENY"? Is that an ipchains target?

> to drop everything that didn't match the ACCEPT rules (obviously)
>
> There are plenty of NAT rules as well, portforwading and stuff like.

Not knowing what those rules are, I cannot help you. Of course if it's 
as huge and complex as I suspect it is I probably wouldn't even try. I 
have work to get done today.

> Now, *sometimes* but just *sometimes*, ICMP and TCP packages are
> simply matching the general DENY rule and dropped, though there is a
> rule that says that LAN hosts can communicate without restrictions
> between them (there are 8 subnets)

So you have seen some kind of pattern. Try LOG for packets before 
the ... well, you said "DENY" but I am not so sure. The string DENY 
(case insensitive) is not in my iptables(8) manual. LOG only what 
matches your pattern.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-09-23 13:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-09-23 10:22 IPTABLES drops packages for existing rules Iulian Topliceanu
2005-09-23 13:14 ` /dev/rob0

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.