From: Vimal <j.vimal@gmail.com>
To: "Xu, Qiang (FXSGSC)" <Qiang.Xu@fujixerox.com>
Cc: Rob Sterenborg <rob@sterenborg.info>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: iptables not prevent access
Date: Mon, 15 Sep 2008 16:12:17 +0530 [thread overview]
Message-ID: <ff71fbf20809150342u52afb246vbb672cbdf36a43ad@mail.gmail.com> (raw)
In-Reply-To: <D8C9BC7FFCF8154FB7141EB8DB609C1721725A40CE@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
> What's strange is that, when I run the same command to other machines, say 13.121.8.120, the http access is successfully rejected. Does that mean something wrong with the network configuration of the machine 13.121.8.119? What is the possible cause of that behavior?
>
This could have been possible only if the rule doesn't match it.
Let's look at the rule:
* -i eth0 ... If this doesn't match, it means that there is some other
routing going on that uses another interface to route the packet to
this particular IP address. Try pasting the routing table here, so
that we can see.
* -p tcp ... This has to be matched :)
* --dport=80 ... Unless you're running the webserver on some other
port, this is likely to match as well.
So, it looks like the packet isn't arriving via interface eth0.
> Another thing is quite strange, when capturing network trace from and to 13.121.8.119, I can't find any packet associated with the server which runs "iptables" command. However, when I was capturing network trace from and to 13.121.8.120 (which was successfully blocked), I can see some network packets associated with the server.
You might have done the network trace on one interface. How many
interfaces are there:
* On the server
* On the client (13.121.8.119)
What is the server IP address?
From what you say, it looks like 13.121.8.119 and the server have
established contact via an interface that is other than eth0.
--
Vimal
next prev parent reply other threads:[~2008-09-15 10:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-15 7:02 iptables not prevent access Xu, Qiang (FXSGSC)
2008-09-15 7:33 ` Rob Sterenborg
2008-09-15 7:53 ` Xu, Qiang (FXSGSC)
2008-09-15 10:42 ` Vimal [this message]
2008-09-15 11:14 ` Xu, Qiang (FXSGSC)
2008-09-15 11:26 ` Simon Gray
2008-09-16 1:36 ` Xu, Qiang (FXSGSC)
2008-09-16 1:49 ` Vimal
2008-09-15 12:06 ` Vimal
2008-09-16 1:56 ` Xu, Qiang (FXSGSC)
[not found] ` <D8C9BC7FFCF8154FB7141EB8DB609C1721726062EC@SGPAPHQ-EXSCC01.dc01.fujixerox.net>
2008-09-15 12:11 ` Vimal
2008-09-16 3:45 ` Xu, Qiang (FXSGSC)
2008-09-16 3:52 ` Vimal
2008-09-16 4:14 ` Xu, Qiang (FXSGSC)
2008-09-16 7:28 ` Xu, Qiang (FXSGSC)
2008-09-15 10:44 ` Rob Sterenborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ff71fbf20809150342u52afb246vbb672cbdf36a43ad@mail.gmail.com \
--to=j.vimal@gmail.com \
--cc=Qiang.Xu@fujixerox.com \
--cc=netfilter@vger.kernel.org \
--cc=rob@sterenborg.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox