From: sean darcy <seandarcy2@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: does -p udp --dport 5060 not work with -j LOG?
Date: Thu, 01 May 2008 21:10:37 -0400 [thread overview]
Message-ID: <fvdpme$vrl$1@ger.gmane.org> (raw)
In-Reply-To: <1209689109.6381.20.camel@localhost.localdomain>
Diego Lacerda wrote:
> On Thu, 2008-05-01 at 16:53 -0700, Steven Kath wrote:
>>> There only one line in my script that uses SIP:
>>>
>>> grep SIP firewall-masq
>>> $IPT -t nat -A PREROUTING -i external -p udp --dport 5060 -j LOG
>>> --log-prefix "SIP-BEFORE: "
>>>
>>> And it's run first:
>>>
>>> sh -x firewall-masq
>>> + IPT=/sbin/iptables
>>> + /sbin/iptables -F
>>> + /sbin/iptables -X
>>> + /sbin/iptables -t nat -A PREROUTING -i external -p udp --dport 5060 -j
>>> LOG --log-prefix 'SIP-BEFORE: '
>>> ...........
>>>
>>>
>>> I don't really understand this output:
>>>
>>> iptables -L -n -v -t nat | grep SIP
>>> 2 262 LOG udp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE:
>>> '
>>> 144K 24M LOG udp -- * * 0.0.0.0/0
>>> 0.0.0.0/0 LOG flags 0 level 4 prefix `SIP-BEFORE: '
>>> 41816 5117K LOG udp -- external * 0.0.0.0/0
>>> 0.0.0.0/0 LOG flags 0 level 4 prefix `SIP-BEFORE: '
>>> 0 0 LOG udp -- external * 0.0.0.0/0
>>> 0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE:
>>> '
>>> 0 0 LOG udp -- external * 0.0.0.0/0
>>> 0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE:
>>> '
>> ...
>>
>> It looks like your nat table isn't getting flushed.
>>
>> Have you tried running 'iptables -t nat -F' before firewall-masq or adding
>> that to the start of the script?
>
> Yeah,
>
> I think that you really need flush the NAT table before.
> In this case you can see that the second and third rules in you NAT table are logging every UDP packet (you can see that by first and second columns: packets/bytes).
>
> Regards,
>
Wow. That worked.
I always thought iptables -F flushed all the tables. Is there a command
that does flush all the tables? Cleans the slate completely?
sean
next prev parent reply other threads:[~2008-05-02 1:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-30 22:27 does -p udp --dport 5060 not work with -j LOG? sean darcy
2008-05-01 3:23 ` Diego Lacerda
2008-05-01 23:36 ` sean darcy
2008-05-01 23:53 ` Steven Kath
2008-05-02 0:45 ` Diego Lacerda
2008-05-02 1:10 ` sean darcy [this message]
2008-05-02 1:40 ` Steven Kath
2008-05-02 13:34 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='fvdpme$vrl$1@ger.gmane.org' \
--to=seandarcy2@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox