* Shouldn't this rule catch all packets
@ 2006-12-14 19:16 jwlargent
2006-12-14 19:56 ` Petr Pisar
0 siblings, 1 reply; 3+ messages in thread
From: jwlargent @ 2006-12-14 19:16 UTC (permalink / raw)
To: NetFilter
I was trying to debug some errors in my iptables setup so I added the
following rules to my OUTPUT, just to see what packets were going out.
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
When I do iptables -L OUTPUT -v it shows some packets are falling
through to the last rule.
Shouldn't the first rule catch all the packets?
Jeff
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Shouldn't this rule catch all packets
2006-12-14 19:16 Shouldn't this rule catch all packets jwlargent
@ 2006-12-14 19:56 ` Petr Pisar
2006-12-14 21:46 ` jwlargent
0 siblings, 1 reply; 3+ messages in thread
From: Petr Pisar @ 2006-12-14 19:56 UTC (permalink / raw)
To: netfilter
On 2006-12-14, jwlargent <jwlargent@vlsmaps.com> wrote:
> I was trying to debug some errors in my iptables setup so I added the
> following rules to my OUTPUT, just to see what packets were going out.
>
> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
>
> When I do iptables -L OUTPUT -v it shows some packets are falling
> through to the last rule.
> Shouldn't the first rule catch all the packets?
>
No. There exists forth state called INVALID. E.g. TCP packet with ACK
witch is not part of any tracked TCP connection is INVALID. Naturally,
INVALID packets are ill packets and they shoudn't appear, but the reality
is different.
-- Petr
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Shouldn't this rule catch all packets
2006-12-14 19:56 ` Petr Pisar
@ 2006-12-14 21:46 ` jwlargent
0 siblings, 0 replies; 3+ messages in thread
From: jwlargent @ 2006-12-14 21:46 UTC (permalink / raw)
To: NetFilter
Petr Pisar wrote:
> On 2006-12-14, jwlargent <jwlargent@vlsmaps.com> wrote:
>
>> I was trying to debug some errors in my iptables setup so I added the
>> following rules to my OUTPUT, just to see what packets were going out.
>>
>> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>> iptables -A OUTPUT -j ACCEPT
>>
>> When I do iptables -L OUTPUT -v it shows some packets are falling
>> through to the last rule.
>> Shouldn't the first rule catch all the packets?
>>
>>
> No. There exists forth state called INVALID. E.g. TCP packet with ACK
> witch is not part of any tracked TCP connection is INVALID. Naturally,
> INVALID packets are ill packets and they shoudn't appear, but the reality
> is different.
>
> -- Petr
>
>
So I put in a log rule for --state INVALID and sure enough thats what it
was.
The packets are part of my ssh connection, tcp with ACK.
IN= OUT=eth0 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=276 TOS=0x10
PREC=0x00 TTL=64 ID=1146 DF PROTO=TCP SPT=22 DPT=38858 WINDOW=3228
RES=0x00 ACK PSH URGP=0
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-12-14 21:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-14 19:16 Shouldn't this rule catch all packets jwlargent
2006-12-14 19:56 ` Petr Pisar
2006-12-14 21:46 ` jwlargent
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.