From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: where are my udp packets going?
Date: Mon, 17 Nov 2008 11:28:48 +0100 [thread overview]
Message-ID: <49214760.1010006@plouf.fr.eu.org> (raw)
In-Reply-To: <gfq3f0$9ot$1@ger.gmane.org>
sean darcy a écrit :
>
> I was able to shut down the 76. machine, reboot the server, and it worked.
Hmm, shut down or reboot was a bit overkill.
> My server does NOT generate 4569 packets, and iptables INPUT drops all
> from eth0, except for ssh and ESTABLISHED. So how could there be a
> conntrack entry?
The DROP target prevents a packet from creating a new conntrack entry.
However I suppose there was a sort of race condition with incoming
packets, conntrack activation, default policy definition and rule creation.
If the conntrack module is loaded before a DROP rule is created in the
filter/INPUT chain or its policy is set to DROP, then an incoming packet
could create the bogus conntrack entry. The conntrack module can be
autoloaded by many ways including :
- loading a conntrack or NAT helper module,
- creating a rule using a match or target that requires conntrack
(state, conntrack, connmark, CONNMARK...)
- loading the nat table, which may be caused by creating a rule in one
of its chains, defining the default policy of one of its chains or just
flushing one of its chains.
So conntrack may be enabled sooner that you think.
Check the order in which the following operations happen at startup :
- load conntrack/NAT modules {ip,nf}_{conntrack,nat}*
- define iptables default policies in the nat and filter tables
- create or flush iptables rules in the nat and filter tables
- enable network interfaces
> Is there a way to DNAT traffic before it reaches the conntrack entry?
No, because NAT requires conntrack.
> Can I change the destination in raw/PREROUTING?
No. All you can do in raw/PREROUTING is DROP or mark packets in the
UNTRACKED state with the NOTRACK target so the conntrack won't see them.
By the way I guess that adding a temporary rule matching the IAX traffic
from 76.x.x.x in this chain until the related conntrack entry expires
would have done the trick too, without having to put machines offline.
> Is there a way to flush the conntrack entry?
Yes, with the conntrack utility from the conntrack-tools package. If you
distro does not ship it, you can get it from the netfilter site.
<http://www.netfilter.org/projects/conntrack-tools/index.html>
next prev parent reply other threads:[~2008-11-17 10:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-15 21:04 where are my udp packets going? sean darcy
2008-11-15 23:54 ` sean darcy
2008-11-16 16:01 ` Pascal Hambourg
2008-11-16 21:31 ` sean darcy
2008-11-17 10:28 ` Pascal Hambourg [this message]
2008-11-17 16:49 ` sean darcy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49214760.1010006@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox