* accept rule not working.
@ 2008-05-07 15:14 eial
2008-05-07 15:29 ` Gáspár Lajos
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: eial @ 2008-05-07 15:14 UTC (permalink / raw)
To: netfilter
I've created this rule:
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport 80 -s 192.168.113.94 -j ACCEPT
but the firewall still blocks it, I guess there is a typo somewhere but I cant seem to be able to find it
any hints?
thanks
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: accept rule not working.
2008-05-07 15:14 eial
@ 2008-05-07 15:29 ` Gáspár Lajos
2008-05-07 15:39 ` Karim Asif
2008-05-07 15:58 ` Jan Engelhardt
2008-05-07 15:29 ` Rob Sterenborg
2008-05-08 5:25 ` eial
2 siblings, 2 replies; 9+ messages in thread
From: Gáspár Lajos @ 2008-05-07 15:29 UTC (permalink / raw)
To: eial@cs.bgu.ac.il; +Cc: netfilter
eial@cs.bgu.ac.il írta:
> I've created this rule:
> /sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport 80 -s 192.168.113.94 -j ACCEPT
>
> but the firewall still blocks it, I guess there is a typo somewhere but I cant seem to be able to find it
> any hints?
>
>
No typo... maybe... :D
Please include the output of these commands:
iptables -vnL
iptables -t nat -vnL
iptables -t mangle -vnL
iptables -t raw -vnL
Thanx...
Swifty
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: accept rule not working.
2008-05-07 15:14 eial
2008-05-07 15:29 ` Gáspár Lajos
@ 2008-05-07 15:29 ` Rob Sterenborg
2008-05-07 21:25 ` eial
2008-05-08 5:25 ` eial
2 siblings, 1 reply; 9+ messages in thread
From: Rob Sterenborg @ 2008-05-07 15:29 UTC (permalink / raw)
To: eial, netfilter
> I've created this rule:
> /sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport
> 80 -s 192.168.113.94 -j ACCEPT
>
> but the firewall still blocks it, I guess there is a typo somewhere
> but I cant seem to be able to find it any hints?
Since the packets are still dropped, either the rule doesn't match the packets you expect it to match, or another blocking rule matches before it can be accepted by this one.
Also, you're using "--sport 80". Are you sure the packets are COMING FROM source port 80 instead of GOING TO port 80 (--dport 80)?
Grts,
Rob
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: accept rule not working.
2008-05-07 15:29 ` Gáspár Lajos
@ 2008-05-07 15:39 ` Karim Asif
2008-05-07 15:58 ` Jan Engelhardt
1 sibling, 0 replies; 9+ messages in thread
From: Karim Asif @ 2008-05-07 15:39 UTC (permalink / raw)
To: netfilter
Try to use
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state
NEW,ESTABLISHED --sport 80 -s 192.168.113.94 -j ACCEPT
Assuming that by default you are dropping the rest of incoming traffic.
Also, try to check where the communication is blocked. use the following
sniffer command.
# tcpdump -i eth0 ip host 192.168.113.94
----- Original Message -----
From: "Gáspár Lajos" <swifty@freemail.hu>
To: <eial@cs.bgu.ac.il>
Cc: <netfilter@vger.kernel.org>
Sent: Wednesday, May 07, 2008 6:29 PM
Subject: Re: accept rule not working.
> eial@cs.bgu.ac.il írta:
>> I've created this rule:
>> /sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport 80 -s
>> 192.168.113.94 -j ACCEPT
>>
>> but the firewall still blocks it, I guess there is a typo somewhere but I
>> cant seem to be able to find it
>> any hints?
>>
>>
> No typo... maybe... :D
>
> Please include the output of these commands:
>
> iptables -vnL
> iptables -t nat -vnL
> iptables -t mangle -vnL
> iptables -t raw -vnL
>
> Thanx...
>
> Swifty
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: accept rule not working.
2008-05-07 15:29 ` Gáspár Lajos
2008-05-07 15:39 ` Karim Asif
@ 2008-05-07 15:58 ` Jan Engelhardt
1 sibling, 0 replies; 9+ messages in thread
From: Jan Engelhardt @ 2008-05-07 15:58 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: eial@cs.bgu.ac.il, netfilter
On Wednesday 2008-05-07 17:29, Gáspár Lajos wrote:
>>
> No typo... maybe... :D
>
> Please include the output of these commands:
>
> iptables -vnL
> iptables -t nat -vnL
> iptables -t mangle -vnL
> iptables -t raw -vnL
>
> Thanx...
or for simplicity just `iptables-save` ...
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: accept rule not working.
2008-05-07 15:29 ` Rob Sterenborg
@ 2008-05-07 21:25 ` eial
2008-05-08 9:28 ` Gáspár Lajos
0 siblings, 1 reply; 9+ messages in thread
From: eial @ 2008-05-07 21:25 UTC (permalink / raw)
To: Rob Sterenborg; +Cc: netfilter
On Wed 07 May 18:29 2008 Rob Sterenborg wrote:
> > I've created this rule:
> > /sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport
> > 80 -s 192.168.113.94 -j ACCEPT
> >
> > but the firewall still blocks it, I guess there is a typo somewhere
> > but I cant seem to be able to find it any hints?
>
> Since the packets are still dropped, either the rule doesn't match the packets you expect it to match, or another blocking rule matches before it can be accepted by this one.
>
> Also, you're using "--sport 80". Are you sure the packets are COMING FROM source port 80 instead of GOING TO port 80 (--dport 80)?
>
>
> Grts,
> Rob
>
>
>
both mangle and raw return this:
FATAL: Module ip_tables not found.
iptables v1.3.8: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 32M packets, 3282M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2990K packets, 215M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2991K packets, 215M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy DROP 240 packets, 23748 bytes)
pkts bytes target prot opt in out source destination
1468 1977K ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
607K 804M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 192.168.113.94 0.0.0.0/0 state NEW tcp spt:80
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 state NEW udp dpt:67
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 state NEW udp dpt:68
2141 321K ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 state NEW udp dpt:2222
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 255.255.255.255 state NEW udp dpt:2223
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:6111
9 666 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:161
1047 37692 ACCEPT icmp -- eth0 * 192.168.111.249 0.0.0.0/0 icmp type 8 state NEW
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:873
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:873
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:6881:6886
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.114.0/20 state NEW tcp dpt:135
186K 21M ACCEPT udp -- eth0 * 0.0.0.0/0 192.168.114.0/20 state NEW udp dpts:137:139
3249 160K ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.114.0/20 state NEW tcp dpts:137:139
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.114.0/20 state NEW tcp dpt:426
9 436 ACCEPT tcp -- eth0 * 0.0.0.0/0 192.168.114.0/20 state NEW tcp dpt:445
8 2225 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 LOG all -f eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `IPTABLES FRAGMENTS: '
0 0 DROP all -f eth0 * 0.0.0.0/0 0.0.0.0/0
930 574K LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Rejected: '
930 574K REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
rejection log example:
Rejected: IN=eth0 OUT= MAC=mymacaddress SRC=192.168.113.94 DST=192.168.114.2 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=59173 WINDOW=0 RES=0x00 RST URGP=0
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: accept rule not working.
2008-05-07 15:14 eial
2008-05-07 15:29 ` Gáspár Lajos
2008-05-07 15:29 ` Rob Sterenborg
@ 2008-05-08 5:25 ` eial
2 siblings, 0 replies; 9+ messages in thread
From: eial @ 2008-05-08 5:25 UTC (permalink / raw)
To: eial@cs.bgu.ac.il; +Cc: netfilter
On Wed 07 May 18:14 2008 eial@cs.bgu.ac.il wrote:
>
> I've created this rule:
> /sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport 80 -s 192.168.113.94 -j ACCEPT
>
> but the firewall still blocks it, I guess there is a typo somewhere but I cant seem to be able to find it
> any hints?
>
> thanks
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
# tcpdump -i eth0 ip host 192.168.113.94
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
08:11:24.236476 IP 192.168.114.2.40573 > 192.168.113.94 F 2798920178:2798920178(0) ack 630443077 win 182 <nop,nop,timestamp 296121 1080942535>
08:11:24.413843 IP 192.168.113.94 > 192.168.114.2.40573: R 630443077:630443077(0) win 0
08:11:24.413907 IP 192.168.114.2 > 192.168.113.94: ICMP 192.168.114.2 tcp port 40573 unreachable, length 48
08:12:24.768797 IP 192.168.114.2.40573 > 192.168.113.94 F 0:0(0) ack 1 win 182 <nop,nop,timestamp 356665 1080942535>
08:12:24.946400 IP 192.168.113.94 > 192.168.114.2.40573: R 630443077:630443077(0) win 0
08:12:24.946464 IP 192.168.114.2 > 192.168.113.94: ICMP 192.168.114.2 tcp port 40573 unreachable, length 48
08:12:57.186350 IP 192.168.114.2.53948 > 192.168.113.94 S 3151686805:3151686805(0) win 5840 <mss 1460,sackOK,timestamp 389088[|tcp]>
08:12:57.364491 IP 192.168.113.94 > 192.168.114.2.53948: S 937462665:937462665(0) ack 3151686806 win 5792 <mss 1460,sackOK,timestamp 1081223595[|tcp]>
08:12:57.364547 IP 192.168.114.2.53948 > 192.168.113.94 . ack 1 win 92 <nop,nop,timestamp 389267 1081223595>
08:12:57.364710 IP 192.168.114.2.53948 > 192.168.113.94 P 1:267(266) ack 1 win 92 <nop,nop,timestamp 389267 1081223595>
08:12:57.543067 IP 192.168.113.94 > 192.168.114.2.53948: . ack 267 win 1716 <nop,nop,timestamp 1081223773 389267>
08:12:57.545658 IP 192.168.113.94 > 192.168.114.2.53948: P 1:26(25) ack 267 win 1716 <nop,nop,timestamp 1081223776 389267>
08:12:57.545700 IP 192.168.114.2.53948 > 192.168.113.94 . ack 26 win 92 <nop,nop,timestamp 389448 1081223776>
08:12:57.545816 IP 192.168.114.2.53948 > 192.168.113.94 . 267:1715(1448) ack 26 win 92 <nop,nop,timestamp 389448 1081223776>
08:12:57.545824 IP 192.168.114.2.53948 > 192.168.113.94 . 1715:3163(1448) ack 26 win 92 <nop,nop,timestamp 389448 1081223776>
08:12:57.724241 IP 192.168.113.94 > 192.168.114.2.53948: . ack 3163 win 3164 <nop,nop,timestamp 1081223955 389448>
08:12:57.724297 IP 192.168.114.2.53948 > 192.168.113.94 P 3163:4611(1448) ack 26 win 92 <nop,nop,timestamp 389626 1081223955>
08:12:57.724307 IP 192.168.114.2.53948 > 192.168.113.94 . 4611:6059(1448) ack 26 win 92 <nop,nop,timestamp 389626 1081223955>
08:12:57.724313 IP 192.168.114.2.53948 > 192.168.113.94 . 6059:7507(1448) ack 26 win 92 <nop,nop,timestamp 389626 1081223955>
08:12:57.903134 IP 192.168.113.94 > 192.168.114.2.53948: . ack 6059 win 4612 <nop,nop,timestamp 1081224134 389626>
08:12:57.903177 IP 192.168.114.2.53948 > 192.168.113.94 P 7507:7889(382) ack 26 win 92 <nop,nop,timestamp 389805 1081224134>
08:12:57.943444 IP 192.168.113.94 > 192.168.114.2.53948: . ack 7507 win 5336 <nop,nop,timestamp 1081224174 389626>
08:12:58.080235 IP 192.168.113.94 > 192.168.114.2.53948: . ack 7889 win 5336 <nop,nop,timestamp 1081224311 389805>
08:12:58.093196 IP 192.168.113.94 > 192.168.114.2.53948: . 26:1474(1448) ack 7889 win 5336 <nop,nop,timestamp 1081224322 389805>
08:12:58.093310 IP 192.168.113.94 > 192.168.114.2.53948: P 1474:2834(1360) ack 7889 win 5336 <nop,nop,timestamp 1081224322 389805>
08:12:58.093327 IP 192.168.114.2.53948 > 192.168.113.94 . ack 2834 win 182 <nop,nop,timestamp 389995 1081224322>
08:12:58.093332 IP 192.168.113.94 > 192.168.114.2.53948: P 2834:2839(5) ack 7889 win 5336 <nop,nop,timestamp 1081224322 389805>
08:12:58.132377 IP 192.168.114.2.53948 > 192.168.113.94: . ack 2839 win 182 <nop,nop,timestamp 390035 1081224322>
08:13:13.090854 IP 192.168.113.94 > 192.168.114.2.53948: F 2839:2839(0) ack 7889 win 5336 <nop,nop,timestamp 1081239324 390035>
08:13:13.130494 IP 192.168.114.2.53948 > 192.168.113.94192.168.113.94: . ack 2840 win 182 <nop,nop,timestamp 405036 1081239324>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: accept rule not working.
2008-05-07 21:25 ` eial
@ 2008-05-08 9:28 ` Gáspár Lajos
0 siblings, 0 replies; 9+ messages in thread
From: Gáspár Lajos @ 2008-05-08 9:28 UTC (permalink / raw)
To: eial@cs.bgu.ac.il; +Cc: netfilter
eial@cs.bgu.ac.il írta:
> 607K 804M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 ACCEPT tcp -- eth0 * 192.168.113.94 0.0.0.0/0 state NEW tcp spt:80
> 930 574K LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `Rejected: '
> 930 574K REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
>
> rejection log example:
> Rejected: IN=eth0 OUT= MAC=mymacaddress SRC=192.168.113.94 DST=192.168.114.2 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=59173 WINDOW=0 RES=0x00 RST URGP=0
>
>
Yes... Correct...
These packets are not in the state of NEW,RELATED,ESTABLISHED...
Maybe just INVALID...
Swifty
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: accept rule not working.
[not found] <200805090443.m494hPLn001206@indigo.cs.bgu.ac.il>
@ 2008-05-09 6:37 ` Gáspár Lajos
0 siblings, 0 replies; 9+ messages in thread
From: Gáspár Lajos @ 2008-05-09 6:37 UTC (permalink / raw)
To: eial@cs.bgu.ac.il; +Cc: swifty, netfilter
eial@cs.bgu.ac.il írta:
> ok, so what can I do?
>
>
What do you want to? RST packets are meant for closing connections...
http://www.knowplace.org/pages/howtos/firewalling_with_netfilter_iptables/ip_overview.php
Swifty
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-05-09 6:37 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200805090443.m494hPLn001206@indigo.cs.bgu.ac.il>
2008-05-09 6:37 ` accept rule not working Gáspár Lajos
2008-05-07 15:14 eial
2008-05-07 15:29 ` Gáspár Lajos
2008-05-07 15:39 ` Karim Asif
2008-05-07 15:58 ` Jan Engelhardt
2008-05-07 15:29 ` Rob Sterenborg
2008-05-07 21:25 ` eial
2008-05-08 9:28 ` Gáspár Lajos
2008-05-08 5:25 ` eial
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox