netfilter missing interface name

netfilter missing interface name

[Nemeth Denes]

Hi

The INPUT chain looks like the following:

pkts bytes target     prot opt in     out     source               
destination
  35  3235 LOG_DROP   all  --  pub    *       0.0.0.0/0           
!1.2.3.4      [goto]
   0  0    LOG_ACC    tcp  --  *      *       127.0.0.1            
127.0.0.1           state NEW tcp dpt:3000

The following packet is dropped:

IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 
ID=31349 DF PROTO=TCP SPT=35130 DPT=3000 WINDOW=32792 RES=0x00 SYN URGP=

which was the cause of executing the "telnet localhost 3000" command
The "pub" interface is a physical ethernet card.

Why is the "IN=" blanc?
Why does the packet match to the first rule?
How is it possible to match only to the second rule?

Thanks Denes

Re: netfilter missing interface name

[Mart Frauenlob]

On 15.02.2010 10:27, netfilter-owner@vger.kernel.org wrote:
> Hi
> 
> The INPUT chain looks like the following:
> 
> pkts bytes target     prot opt in     out     source              
> destination
>  35  3235 LOG_DROP   all  --  pub    *       0.0.0.0/0          
> !1.2.3.4      [goto]
>   0  0    LOG_ACC    tcp  --  *      *       127.0.0.1           
> 127.0.0.1           state NEW tcp dpt:3000
> 
> The following packet is dropped:
> 
> IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64
> ID=31349 DF PROTO=TCP SPT=35130 DPT=3000 WINDOW=32792 RES=0x00 SYN URGP=
> 
> which was the cause of executing the "telnet localhost 3000" command
> The "pub" interface is a physical ethernet card.
> 
> Why is the "IN=" blanc?
> Why does the packet match to the first rule?
> How is it possible to match only to the second rule?
> 
> Thanks Denes


Looks like this is dropped in the OUTPUT chain. It never reaches the
INPUT chain.

Best regards

Mart