From: "Stoycho Sleptsov" <stoycho@cds-bg.com>
To: netfilter@lists.netfilter.org
Subject: eth1 answers SYN/ACK to SYNs dedicated for eth0. Why?
Date: Thu, 16 Dec 2004 01:07:09 +0200 [thread overview]
Message-ID: <006401c4e2fa$cdd164d0$3001a8c0@cpcss> (raw)
Hi.
I am new to iptables , so excuse me in advance for any strange
terminologies.
I have the following configuration:
an external IP assigned to eth0.
192.168.0.1 assigned to eth1.
ip_forward set to 1.
sshd waiting on 22.
iptables:
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A INPUT -i lo ACCEPT
-A FORWARD -i lo ACCEPT
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
*nat
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j SNAT --to ext.ern.ip
COMMIT
... and suddenly external people are receiving the ssh login (sometimes, not
always).
after several loggings I saw that SYN on 22 to ext.ern.ip is accepted and
answered by eth1.
and after is translated and accepted as ESTABLISHED by eth0 in the filter
part of iptables.
is this normal?
For now I found some workaround in the nat:
-A PREROUTING -d ext.ern.ip -s ! 192.168.0.0/24 -i eth1 -m state --state
NEW -j DROP
but maybe I have to do something completely different to even not receive
this strange effect?
Thanks alot,
Stoycho
next reply other threads:[~2004-12-15 23:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-15 23:07 Stoycho Sleptsov [this message]
2004-12-15 23:38 ` eth1 answers SYN/ACK to SYNs dedicated for eth0. Why? Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006401c4e2fa$cdd164d0$3001a8c0@cpcss' \
--to=stoycho@cds-bg.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox