From: Sertys <sertys@supportivo.org>
To: Netfilter list <netfilter@lists.netfilter.org>
Subject: Re: mysterious dropped echo replies
Date: Tue, 31 May 2005 11:40:39 +0000 (UTC)
Date: Wed, 01 Jun 2005 18:21:44 +0300 [thread overview]
Message-ID: <opsro6aifo76nf2y@xonix> (raw)
In-Reply-To: <1117539228.25434.82.camel@athene.bestsolution.at>
Well , this line :
iptables -t nat -A Cid3D99741E.0 -d 192.168.100.0/24 -j RETURN
change it to -j DROP and it wont generate any replies. -j RETURN, returns
the packet and sends and icmp message to the src!
On Tue, 31 May 2005 13:33:48 +0200, Udo Rader <udo.rader@bestsolution.at>
wrote:
> Hi Sertys,
>
> thanks for your reponse. I doubt that my entire script will help much,
> but anyway, I attached it (obfuscated a bit, of course :-)
>
> Yes, we are using traffic shaping (qdisc), but not RP_filter.
>
> The netmask for .240 is find, actually .240 _is_ the router, the router
> sends echo replies to some other hosts in the DMZ for reasons
> unknown ...
>
> And no, this is no PPP network but a leased line instead.
>
> Udo Rader
>
> BestSolution.at GmbH
> http://www.bestsolution.at
>
> On Wed, 2005-06-01 at 15:57 +0300, Sertys wrote:
>> I was totally wrong and realised it a min after sending. In fact why
>> don't
>> you post your whole script. Do you use connection limiting? RP_filter?
>> First - check that the netmask is set correctly on 240. As long as they
>> are on the same segment, they aren't suppose to talk via the router.
>> They
>> just have to ARP discover each other and talk directly. A machine gets
>> to
>> default gw, when the ip is not in the routing table. IS THIS A PPP
>> network?
>>
>>
>>
>> On Wed, 01 Jun 2005 15:50:35 +0300, Sertys <sertys@supportivo.org>
>> wrote:
>>
>> > On Tue, 31 May 2005 10:42:36 +0200, Udo Rader
>> > <udo.rader@bestsolution.at> wrote:
>> >
>> > Those are illegal packets:
>> >> DROP IN= OUT=eth1 SRC=192.168.100.240 DST=192.168.100.10 LEN=28
>> TOS=0x00
>> >> PREC=0x00 TTL=64 ID=32153 PROTO=ICMP TYPE=0 CODE=0 ID=45639 SEQ=0
>> > There's no type0&code0 combination.
>> >
>> >
>> >> Hi,
>> >>
>> >> I am stuck with a strange phenonemon where iptables drops packages it
>> >> (probably) shouldn't.
>> >>
>> >> The dropped packages are logged like this:
>> >>
>> >> DROP IN= OUT=eth1 SRC=192.168.100.240 DST=192.168.100.10 LEN=28
>> TOS=0x00
>> >> PREC=0x00 TTL=64 ID=32153 PROTO=ICMP TYPE=0 CODE=0 ID=45639 SEQ=0
>> >>
>> >> So that means that this is about an icmp echo reply, originating from
>> >> 192.168.100.240, pending to be sent through its internal interface
>> >> (eth1) and destined to 192.168.100.10.
>> >>
>> >> It is completely mysterious to me where this reply comes from, but
>> >> that's not all.
>> >>
>> >> Each of the two hosts involved can ping each other and in the case
>> of a
>> >> ping, iptables does not drop any packages.
>> >>
>> >> If I shut down 192.168.100.10 (a box within the DMZ), it doesn't take
>> >> long until iptables starts to drop packages destined to other boxes
>> in
>> >> the DMZ.
>> >>
>> >> One of the first rules in my iptables setup is this:
>> >>
>> >> iptables -A INPUT -s 192.168.100.0/24 -m state --state NEW -j ACCEPT
>> >> iptables -A OUTPUT -s 192.168.100.0/24 -m state --state NEW -j ACCEPT
>> >> iptables -A FORWARD -s 192.168.100.0/24 -m state --state NEW -j
>> ACCEPT
>> >>
>> >> For the internal interface this is the first rule:
>> >>
>> >> iptables -A INPUT -i eth1 -s 192.168.100.0/24 -d 192.168.100.0/24 -m
>> >> state --state NEW -j ACCEPT
>> >> iptables -A FORWARD -i eth1 -s 192.168.100.0/24 -d 192.168.100.0/24
>> -m
>> >> state --state NEW -j ACCEPT
>> >> iptables -A OUTPUT -o eth1 -s 192.168.100.0/24 -d 192.168.100.0/24 -m
>> >> state --state NEW -j ACCEPT
>> >> iptables -A FORWARD -o eth1 -s 192.168.100.0/24 -d 192.168.100.0/24
>> -m
>> >> state --state NEW -j ACCEPT
>> >>
>> >> The rule that drops the package is the very last one (the 'catch
>> all')
>> >> rule.
>> >>
>> >> This is something new, because I haven't changed the iptaples setup
>> for
>> >> quite some time, so if anybody has any guess on what's going on here.
>> >>
>> >> Udo Rader
>> >>
>> >> BestSolution.at GmbH
>> >> http://www.bestsolution.at
>> >
>> >
>> >
>>
>>
>>
--
www.supportivo.org
I can't stop myself checking for pigs in the outlets. Everybody thinks i'm
a punk, cause of the hairstyle(220V).
end
next prev parent reply other threads:[~2005-05-31 11:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-31 8:42 mysterious dropped echo replies Udo Rader
2005-05-31 9:09 ` Sertys
2005-05-31 9:16 ` Sertys
2005-05-31 11:33 ` Udo Rader
2005-05-31 11:40 ` Sertys [this message]
2005-05-31 16:58 ` Udo Rader
2005-05-31 18:38 ` Clemente Aguiar
2005-06-01 2:22 ` Jason Opperisano
2005-06-01 7:50 ` Udo Rader
2005-06-01 8:43 ` Sertys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=opsro6aifo76nf2y@xonix \
--to=sertys@supportivo.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox