On Wed, Dec 12, 2001 at 11:18:51PM -0500, Larry Sanders wrote:
<snip>
>
> Then here is the listing from: iptables -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth1 any 192.168.127.0/24 anywhere
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth0 ppp0 192.168.27.0/24 anywhere
> 0 0 ACCEPT all -- eth1 ppp0 192.168.127.0/24 anywhere
> 0 0 LOG all -- any any anywhere anywhere
> LOG level warning prefix `FORWARD DROP:'
> 0 0 DROP all -- any any anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT 24 packets, 2016 bytes)
> pkts bytes target prot opt in out source
> destination
>
> ======================================================
>
> And here is the entry in the /var/log/messages from when a user on the
> trusted
> network (192.168.127.2) pinged the name server for the ISP.
>
> Dec 12 20:37:57 gate kernel: FORWARD DROP:IN=ppp0 OUT=eth1
> SRC=207.115.59.241 DST=192.168.127.2 LEN=140 TOS=0x00 PREC=0x00
> TTL=11 ID=34185 PROTO=UDP SPT=53 DPT=1521 LEN=120
>
> Why is this packet, comming in on ppp0, dropped?? Why is this anser to a
> ping not
> being recognized as an answer to this ping?
> Derek, Thanks in advance.
> Larry S.
> :-)
(Standing in for Derek until he gets around to it.) I'm more familiar
with ipchains than iptables. I think iptables changed the definitions of
"input", "output" and "forward" slightly, which confuses me. But...
Here's what I see as a non-expert looking at the obvious. A packet from
207.115.59.241 to your ppp0 interface was dropped (according to your
log). I assume that was the _answer_ from your ISP. If you look at the
"in" column in ipchains -L -v above, you don't see ppp0 in that column
anywhere. What you do see is eth0 and eth1. The log appears to say that
iptables was using the FORWARD chain to route this packet. This is
reinforced by the fact that the packet was logged; no other chain has a
logging target. Your FORWARD chain (according to ipchains -L -v) says
that it will accept packets from eth0 or eth1 going to ppp0, but it will
drop and log anything else, which is what it did here.
So I'd say that you can ping all you like, but if the answer is coming
back on ppp0, it's just going to drop and log. You need to add a rule
about accepting inbound traffic on ppp0.
However, from what I understand, iptables introduced the concept of
"stateful" inspection and routing. I believe this means that iptables
can keep track of "conversations", rather than just packets. That is, it
can monitor outbound traffic and keep track of whether an inbound packet
is in answer to a previous outbound one. I believe it can do this with a
greater economy of rules than on ipchains, which couldn't track
"conversations" at all. So it may be that a simple tweak of the rules
can resolve the problem, rather than adding a lot of new rules to
compensate, the way you have to with ipchains.
(If any of this is wrong or inaccurate, please correct me.)
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:12:01 EDT