[LARTC] Possible bug with multiport?

[LARTC] Possible bug with multiport?

[Kirk Reiser]

Hi Folks:  I am either using the multiport of the -m or --match option
of iptables in correctly or there is a bug with it.  Is anyone else
using it with no problem?  This is the way I am trying to use it:

my_ports!,25,80 
iptables -t nat -A PREROUTING -i $wan_addr -p tcp -m multiport
--dports $my_ports -j DNAT --to $my_internal_address

I have used this in the past successfully but that was a few years
ago.  I get no errors or warnings it just ignors the ports.  The
multiport invokation shows up in an iptables -t nat -L -v however.
The packet and byte counts never get incremented either from zero.

Any pointers would sure be helpful, having to include a line for every
port check seems wasteful.

  Kirk

-- 

Kirk Reiser				The Computer Braille Facility
e-mail: kirk@braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Possible bug with multiport?

[Patrick McHardy]

CCed netfilter-devel.

Kirk Reiser wrote:
> Hi Folks:  I am either using the multiport of the -m or --match option
> of iptables in correctly or there is a bug with it.  Is anyone else
> using it with no problem?  This is the way I am trying to use it:
> 
> my_ports!,25,80 
> iptables -t nat -A PREROUTING -i $wan_addr -p tcp -m multiport
> --dports $my_ports -j DNAT --to $my_internal_address
> 
> I have used this in the past successfully but that was a few years
> ago.  I get no errors or warnings it just ignors the ports.  The
> multiport invokation shows up in an iptables -t nat -L -v however.
> The packet and byte counts never get incremented either from zero.
> 
> Any pointers would sure be helpful, having to include a line for every
> port check seems wasteful.

Please post your kernel version, your iptables version and the
output of iptables -vxnL.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: Possible bug with multiport?

[Patrick McHardy]

CCed netfilter-devel.

Kirk Reiser wrote:
> Hi Folks:  I am either using the multiport of the -m or --match option
> of iptables in correctly or there is a bug with it.  Is anyone else
> using it with no problem?  This is the way I am trying to use it:
> 
> my_ports=21,25,80 
> iptables -t nat -A PREROUTING -i $wan_addr -p tcp -m multiport
> --dports $my_ports -j DNAT --to $my_internal_address
> 
> I have used this in the past successfully but that was a few years
> ago.  I get no errors or warnings it just ignors the ports.  The
> multiport invokation shows up in an iptables -t nat -L -v however.
> The packet and byte counts never get incremented either from zero.
> 
> Any pointers would sure be helpful, having to include a line for every
> port check seems wasteful.

Please post your kernel version, your iptables version and the
output of iptables -vxnL.

Re: [LARTC] Possible bug with multiport?

[William L. Thomson Jr.]

On Wed, 2006-03-15 at 06:47 -0500, Kirk Reiser wrote:
> Hi Folks:  I am either using the multiport of the -m or --match option
> of iptables in correctly or there is a bug with it.  Is anyone else
> using it with no problem? 

I am using it and no functional problems. :)

> I have used this in the past successfully but that was a few years
> ago.  I get no errors or warnings it just ignors the ports.  The
> multiport invokation shows up in an iptables -t nat -L -v however.
> The packet and byte counts never get incremented either from zero.

Well that's another story. In my case most of my byte counters never get
incremented either. However the rules are working, since packets are
comping and going. No way for them to otherwise.

I believe there is a bug on the counters portion. But it's not across
the board because some of my multi port counters get incremented. And
some do not.

Linux version 2.6.14-hardened-r5 (root@lrt) (gcc version 3.4.5 (Gentoo
Hardened 3.4.5, ssp-3.4.5-1.0, pie-8.7.9))

iptables v1.3.4

-- 
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
http://www.obsidian-studios.com

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Possible bug with multiport?

[Kirk Reiser]

Patrick McHardy <kaber@trash.net> writes:

> Please post your kernel version, your iptables version and the
> output of iptables -vxnL.

Woops!  The kernel is linux 2.6.15.6 and the iptables is 1.3.3.  I
will have to reconstruct the script using multiport so that will take
some time to get the iptables -vxnL.

  Kirk

-- 
Kirk Reiser				The Computer Braille Facility
e-mail: kirk@braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: Possible bug with multiport?

[Kirk Reiser]

Patrick McHardy <kaber@trash.net> writes:

> Please post your kernel version, your iptables version and the
> output of iptables -vxnL.

Woops!  The kernel is linux 2.6.15.6 and the iptables is 1.3.3.  I
will have to reconstruct the script using multiport so that will take
some time to get the iptables -vxnL.

  Kirk

-- 
Kirk Reiser				The Computer Braille Facility
e-mail: kirk@braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061

Re: [LARTC] Possible bug with multiport?

[Patrick McHardy]

Kirk Reiser wrote:
> Patrick McHardy <kaber@trash.net> writes:
> 
> 
>>Please post your kernel version, your iptables version and the
>>output of iptables -vxnL.
> 
> 
> Woops!  The kernel is linux 2.6.15.6 and the iptables is 1.3.3.  I
> will have to reconstruct the script using multiport so that will take
> some time to get the iptables -vxnL.

IIRC we had a bug in iptables with revision matching (which affects
multiport), could you try the latest version?
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: Possible bug with multiport?

[Patrick McHardy]

Kirk Reiser wrote:
> Patrick McHardy <kaber@trash.net> writes:
> 
> 
>>Please post your kernel version, your iptables version and the
>>output of iptables -vxnL.
> 
> 
> Woops!  The kernel is linux 2.6.15.6 and the iptables is 1.3.3.  I
> will have to reconstruct the script using multiport so that will take
> some time to get the iptables -vxnL.

IIRC we had a bug in iptables with revision matching (which affects
multiport), could you try the latest version?

Re: [LARTC] Possible bug with multiport?

[Kirk Reiser]

Patrick McHardy <kaber@trash.net> writes:

> IIRC we had a bug in iptables with revision matching (which affects
> multiport), could you try the latest version?

If you want to give me a pointer to it or to cvs I'd be happy to.

To my previous problem it appears that I was mistaken.  I was trying
to use nc with port 25 when testing and forgot that our ITS department
had port 25 blocked up stream so it wasn't iptables fault at all.
Took me some tcpdump monitoring to realize the packets were never even
getting to the box running the iptables script.  Subsequent test with
multiport statements appear to be running okay so far.

  Kirk

-- 

Kirk Reiser				The Computer Braille Facility
e-mail: kirk@braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: Possible bug with multiport?

[Kirk Reiser]

Patrick McHardy <kaber@trash.net> writes:

> IIRC we had a bug in iptables with revision matching (which affects
> multiport), could you try the latest version?

If you want to give me a pointer to it or to cvs I'd be happy to.

To my previous problem it appears that I was mistaken.  I was trying
to use nc with port 25 when testing and forgot that our ITS department
had port 25 blocked up stream so it wasn't iptables fault at all.
Took me some tcpdump monitoring to realize the packets were never even
getting to the box running the iptables script.  Subsequent test with
multiport statements appear to be running okay so far.

  Kirk

-- 

Kirk Reiser				The Computer Braille Facility
e-mail: kirk@braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061