From: Ashley Maher <ashley.maher@didymodesigns.com.au>
To: netfilter@lists.netfilter.org
Subject: inconsistant behaviour
Date: Thu, 25 Sep 2003 15:05:17 +1000 [thread overview]
Message-ID: <3F72778D.2080207@didymodesigns.com.au> (raw)
G'day,
I've built a firewall-gateway for a Uni.
The initial script sets up:
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF="eth0"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -N ACCT
$IPTABLES -F ACCT
$IPTABLES -N ALLOW
$IPTABLES -P ALLOW DROP
$IPTABLES -F ALLOW
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j ACCT
$IPTABLES -I FORWARD -d 202.129.z.y -j ACCEPT
$IPTABLES -A FORWARD -s 203.220.a.0/22 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.b.0/24 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.221.c.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.d.0/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
$IPTABLES -A FORWARD -s 203.220.e.128/25 -d 0.0.0.0/0 -o $EXTIF -j ALLOW
When a student logs on this instruction is given:
/sbin/iptables -A ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -A ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
This works well.
When a student logs off these instructions are given:
/sbin/iptables -D ALLOW -s $IP/32 -d 0.0.0.0/0 -o $EXTIF -j ACCEPT
/sbin/iptables -D ACCT -s 0.0.0.0/0 -d $IP/32 -i $EXTIF
Now this works fairly well. Less than 1% of the time it fails to remove
the entry from the ALLOW chain and very rearly it fails to remove from
the ACCT chain.
Where can I look to find this error. Though rare the 1% ends up being a
significant number given the load is high.
Also msn messagenger packets do not seam to be counted by the iptables
chain?? This is an observation from the help desk as students are
complaining they are being logged off for inactivity and they are using
messanger. When I hand check packets using iptables there appears to be
no packet count. Whe they do a download there is.
I'm not an iptables guru so hints and or suggestions appreciated.
thanks
Ashley
next reply other threads:[~2003-09-25 5:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-25 5:05 Ashley Maher [this message]
2003-09-25 7:07 ` inconsistant behaviour Joel Newkirk
2003-09-26 3:48 ` Mark E. Donaldson
-- strict thread matches above, loose matches on Subject: below --
2003-09-25 4:51 ashley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F72778D.2080207@didymodesigns.com.au \
--to=ashley.maher@didymodesigns.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox