From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: How to debug RST filter ?
Date: Mon, 01 Feb 2010 19:54:51 +0100 [thread overview]
Message-ID: <4B67237B.4070900@chello.at> (raw)
In-Reply-To: <L749C3EBF46964d4a9E404BAF2BFD837F.1265011977.scalix01.aarboard.ch@MHS>
On 01.02.2010 09:13, netfilter-owner@vger.kernel.org wrote:
> Hello,
>
>> Can you see "RULE 17"?
>
>
> Rule 17 is the final deny everything else rule.
> Rule 15 is the one which should allow everything "local" on the firewall
>
> #
> # Rule 15 (global)
> #
> echo "Rule 15 (global)"
> #
> #
> #
> $IPTABLES -N Cid4A4A84F123430.0
> $IPTABLES -A INPUT -s myip -m state --state NEW -j Cid4A4A84F123430.0
> $IPTABLES -A INPUT -s 127.0.0.1 -m state --state NEW -j
> Cid4A4A84F123430.0
> $IPTABLES -A Cid4A4A84F123430.0 -d myip -j ACCEPT
> $IPTABLES -A Cid4A4A84F123430.0 -d 127.0.0.1 -j ACCEPT
> $IPTABLES -N Cid4A4A84F123430.1
> $IPTABLES -A OUTPUT -s myip -m state --state NEW -j Cid4A4A84F123430.1
> $IPTABLES -A OUTPUT -s 127.0.0.1 -m state --state NEW -j
> Cid4A4A84F123430.1
> $IPTABLES -A Cid4A4A84F123430.1 -d myip -j ACCEPT
> $IPTABLES -A Cid4A4A84F123430.1 -d 127.0.0.1 -j ACCEPT
>
>
>
> #
> # Rule 17 (global)
> #
> echo "Rule 17 (global)"
> #
> #
> #
> $IPTABLES -N RULE_17
> $IPTABLES -A OUTPUT -j RULE_17
> $IPTABLES -A INPUT -j RULE_17
> $IPTABLES -A RULE_17 -j LOG --log-level info --log-prefix "RULE 17 -- DENY
> " --log-tcp-sequence --log-tcp-options --log-ip-options
> $IPTABLES -A RULE_17 -j DROP
>
>
> As we normaly can connect, but just a few random connection don't work,
> I assume that there is some timeout or some entries flushed somewhere in
> the filter stuff.
>
>
> André
shot in the dark, try to insert into rule 17:
$IPTABLES -I RULE_17 -o lo -m state --state INVALID -j LOG \
--log-level info --log-prefix "RULE 17 -- INVALID" --log-tcp-sequence \
--log-tcp-options --log-ip-options
and see if it matches the other logged packets.
if so, these packets are classified as invalid by the connection tracker.
best regards
Mart
next prev parent reply other threads:[~2010-02-01 18:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-01 7:50 How to debug RST filter ? Andre Schild
2010-02-01 8:05 ` Remzi AKYÜZ
2010-02-01 8:13 ` a.schild
2010-02-01 18:54 ` Mart Frauenlob [this message]
2010-02-01 19:29 ` Pascal Hambourg
2010-02-02 6:42 ` Andre Schild
2010-02-02 6:46 ` a.schild
2010-02-02 2:26 ` Regarding Iptables Redirect Target rule Vikram Ragukumar
2010-02-02 19:18 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B67237B.4070900@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox