From: "Gáspár Lajos" <swifty@freemail.hu>
To: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Dropped packets logged which should be accepted by Conntrack
Date: Tue, 15 Nov 2011 10:47:01 +0100 [thread overview]
Message-ID: <4EC23515.8020808@freemail.hu> (raw)
In-Reply-To: <1321326448.2936.43.camel@denise.theartistscloset.com>
Hi John,
2011-11-15 04:07 keltezéssel, John A. Sullivan III írta:
> Hello, all. I find myself perplexed by what I often see in our logs.
> At the end of our FORWARD chain, we log drops for no matches:
>
> [root@fw01 log]# iptables -v -n -L FORWARD
> Chain FORWARD (policy DROP 528K packets, 85M bytes)
> pkts bytes target prot opt in out source
> destination
> 16M 925M TCPMSS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
> 2284M 1690G ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 7890K 594M VPN_ALLOW all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0xcccc/0xcccc
> 27M 2609M UPEPIN_DENY all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 27M 2609M UPEPIN all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 528K 85M LOG all -- * * 0.0.0.0/0
> 0.0.0.0/0 LOG flags 0 level 4 prefix `No Match: '
>
> The above shows SMTP, LDAP, and memcached replies which should have been
> accepted. Why would I see this?
I do not know what kind of rules do you have between the
"RELATED,ESTABLISHED" and the "LOG/DROP" rules, but I do not see any
"conntrak NEW" rule there...
And as far as I can tell, your UPEPIN_DENY chain does not get any hit...
(If that chain ment to deny any unwanted traffic.)
To answer your question:
You see those logs becaus the packets are:
- not "RELATED" or "ESTABLISHED",
- not filtered in the VPN_ALLOW chain, (not marked with 0xcccc)
- not droped in the UPEPIN_DENY chain,
- not accepter the UPEPIN chain...
These packets can be:
a, "NEW'",
b, "INVALID",
c, "UNTRACKED",
and none of them are "ACCEPT"-ed... :D
Swifty
next prev parent reply other threads:[~2011-11-15 9:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-15 3:07 Dropped packets logged which should be accepted by Conntrack John A. Sullivan III
2011-11-15 9:47 ` Gáspár Lajos [this message]
2011-11-15 12:57 ` John A. Sullivan III
[not found] ` <CAG61UF-BmX38MbC=5MUsBkWD3Fixx7-=AENxHKtbRi9TX7NzmA@mail.gmail.com>
2011-11-16 12:07 ` John A. Sullivan III
2011-11-16 15:20 ` Jorge Dávila
2011-11-16 15:51 ` Jan Engelhardt
2011-11-16 19:25 ` John A. Sullivan III
2011-12-04 16:21 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EC23515.8020808@freemail.hu \
--to=swifty@freemail.hu \
--cc=jsullivan@opensourcedevel.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.