From: "Marco Balle" <mb@monster-server.de>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] ipchains iproute2 and port based routing
Date: Wed, 09 Oct 2002 21:31:00 +0000 [thread overview]
Message-ID: <marc-lartc-103419915227237@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103416308716008@msgid-missing>
Next :)
>You could always try that very same diagnosing ipchains rule in your
>forward chain, i.e. "ipchains -A forward -j DENY -l". Then you'll see
>that the de-masqueraded packet is denied passing through the forward
>chain. (At least that's my guess....)
I did. I understand the deny chain now - it was my mistake.
In the forward chain, I added the deny chain:
ipchains -A input -i eth2 -j DENY -l
But no packets arrive there.
I write it down, the short version:
Chain input (policy ACCEPT):
target prot opt source destination
ports
- icmp ------ 192.168.0.0/24 anywhere any
-> any
Chain forward (policy ACCEPT):
target prot opt source destination
ports
MASQ all ------ 192.168.0.0/24 anywhere n/a
DENY all ----l- anywhere anywhere n/a
Chain output (policy ACCEPT):
So the default policy is accept. With a ping of 4 tries, the forward -
MASQ chain added 4 pakets and the icmp mark chain added also 4 packets.
But no one in the DENY chain.
The same with the deny chain in the input chain:
ipchains -A forward -j DENY -l
Chain input (policy ACCEPT):
target prot opt source destination
ports
- icmp ------ 192.168.0.0/24 anywhere any
-> any
DENY all ----l- anywhere anywhere n/a
Chain forward (policy ACCEPT):
target prot opt source destination
ports
MASQ all ------ 192.168.0.0/24 anywhere n/a
Chain output (policy ACCEPT):
There with the same ping, 4 packets added in the MASQ, in the icmp _and_
in the input deny chain.
Hmm, if I don't make anything wrong, the packets get lost after the
input and before the forward chain.
What do you think?
Now it is time to go to bed, its 11:30pm here.
I am at home tomorrow at 5pm CET (hope so) and will try again - so long
to it works, the next day is free for me, so I have the whole night
tomorrow.
Marco
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2002-10-09 21:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-09 11:30 [LARTC] ipchains iproute2 and port based routing Balle Marco
2002-10-09 13:32 ` Martin A. Brown
2002-10-09 17:43 ` Marco Balle
2002-10-09 18:21 ` Martin A. Brown
2002-10-09 18:22 ` Martin A. Brown
2002-10-09 20:10 ` Marco Balle
2002-10-09 20:28 ` Martin A. Brown
2002-10-09 21:31 ` Marco Balle [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103419915227237@msgid-missing \
--to=mb@monster-server.de \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.