From: Jean-Christian Imbeault <jc@mega-bucks.co.jp>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: Newbie: why is this packet being dropped/logged?
Date: Mon, 04 Aug 2003 17:08:33 +0900 [thread overview]
Message-ID: <3F2E1481.7060907@mega-bucks.co.jp> (raw)
In-Reply-To: <1059984295.921.22.camel@elendil.intranet.cartel-securite.net>
Cedric Blancher wrote:
>
> This file is not a log. [sni]
Ah ... thanks for the explanation.
> Could you post an iptables-save output for your INPUT chain so we can
> have a complete ruleset description ?
Sure, here it is:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [29809:39495741]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 203.179.86.66 -i eth0 -p tcp -m tcp --dport 80 -m state
--state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 219.118.175.0/255.255.255.0 -d 203.179.86.66 -i eth0 -p tcp
-m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j DROP
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 137 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 138 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 138 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -p udp -m udp --dport 139 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -j LOG --log-prefix "DROP:" --log-level debug
-A OUTPUT -o lo -j ACCEPT
COMMIT
> It is a bit redundant with previous rule that allows ESTABLISHED and
> RELATED packets, whatever source, destination and protocol they may
> have. So, ESTABLISHED HTTP packets to 203.179.86.66 would not reach your
> rule, being accepted by previous one. Moreover, RELATED is useless, as
> HTTP does not have related connections such as FTP or IRC.
Ok. So I guess NEW is all I need and RELATED and ESTABLISHED are
unnecessary.
Jean-Christian Imbeault
next prev parent reply other threads:[~2003-08-04 8:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-04 5:11 Newbie: why is this packet being dropped/logged? Jean-Christian Imbeault
[not found] ` <1059980959.926.1.camel@elendil.intranet.cartel-securite.net>
2003-08-04 7:29 ` Jean-Christian Imbeault
2003-08-04 7:40 ` Cedric Blancher
2003-08-04 7:49 ` Jean-Christian Imbeault
2003-08-04 8:04 ` Cedric Blancher
2003-08-04 8:08 ` Jean-Christian Imbeault [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-08-04 5:31 George Vieira
2003-08-04 5:32 ` Jean-Christian Imbeault
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F2E1481.7060907@mega-bucks.co.jp \
--to=jc@mega-bucks.co.jp \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox