From: Duncan Roe <duncan_roe@optusnet.com.au>
To: netfilter@vger.kernel.org
Subject: Re: linux martian packets
Date: Thu, 8 Feb 2018 10:02:11 +1100 [thread overview]
Message-ID: <20180207230211.GA2303@dimstar.local.net> (raw)
In-Reply-To: <62fbf8b2-9536-6bf4-9fb1-825307d29262@bluemarble.net>
On Wed, Feb 07, 2018 at 02:29:52PM -0500, John Ratliff wrote:
> We have a couple of internal networks that we route between, 10.9/16 and
> 10.246/16. But when I try to reply to ICMP requests coming into a 10.246 IP
> on the host from a machine with a 10.9 IP, I can't seem to do that. I see
> the ICMP echo request packets in tcpdump, but I can't find anything in
> iptables. It seems like they're dropped before they come into the filter
> table.
>
> Is there a way I can prevent this so that I can respond to traffic from
> another non-publicly routable IP?
>
> Thanks.
Yes indeed - tcpdump gets in before any of the iptables rules so you will see
incoming packets that are subsequently dropped.
You must have an iptables rule that is dropping them, so I suggest to use watch
of iptables -L to see which rule increments its counter when you ping from 10.9.
If your chains have policy drop it's possible you won't see anything - if so
then put an explicit DROP at the end of the chain so you see the counter.
It might also be worth checking the OUTPUT chain. Or, watch the entire iptables
ruleset:
> watch 'set -x;for i in filter nat mangle raw;do iptables -t $i -L -v -n --line-numbers;done;set +x;'
(set -x enable you to see which table a chain belongs to: search up for the last
iptables command).
HTH,
Cheers ... Duncan.
next prev parent reply other threads:[~2018-02-07 23:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-07 19:29 linux martian packets John Ratliff
2018-02-07 23:02 ` Duncan Roe [this message]
2018-02-08 6:44 ` Rob Thomas
2018-02-08 12:33 ` John Ratliff
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180207230211.GA2303@dimstar.local.net \
--to=duncan_roe@optusnet.com.au \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox