* ipt_hook: happy cracking with 2.6.0-test9-bk7
@ 2003-11-05 7:30 Udo A. Steinberg
2003-11-07 16:44 ` Harald Welte
0 siblings, 1 reply; 2+ messages in thread
From: Udo A. Steinberg @ 2003-11-05 7:30 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 3773 bytes --]
[ please CC: me on replies because I'm not subscribed to the netfilter list ]
Hi,
I'm currently running Linux-2.6.0-test9-bk7 compiled with gcc-3.3.2.
After upgrading from -test9 to -test9-bk7 I'm getting a lot of
ipt_hook: happy cracking.
messages. Google search revealed that this indicates broken packets being
sent out from the machine - and this is indeed so.
The problem goes away, if I remove all my firewall rules, which looks to me
as if netfilter's --reject-with is the culprit.
Below is my netfilter configuration (not wrapped for readability reasons).
Can anyone comment on what might be going wrong here?
-Udo.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
TCP tcp -- 0.0.0.0/0 0.0.0.0/0
UDP udp -- 0.0.0.0/0 0.0.0.0/0
ICMP icmp -- 0.0.0.0/0 0.0.0.0/0
IGMP 2 -- 0.0.0.0/0 0.0.0.0/0
IPV6 41 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 6 prefix `IP Drop: '
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ICMP (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 6 prefix `ICMP Drop: '
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain IGMP (1 references)
target prot opt source destination
ACCEPT 2 -- 0.0.0.0/0 0.0.0.0/0
Chain IPV6 (1 references)
target prot opt source destination
ACCEPT 41 -- 0.0.0.0/0 0.0.0.0/0
Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- 141.30.0.0/16 0.0.0.0/0 state NEW multiport dports 22,111,137,138,139 tcp flags:0x16/0x02
ACCEPT tcp -- 141.76.0.0/16 0.0.0.0/0 state NEW multiport dports 22,111,137,138,139 tcp flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 113,522 tcp flags:0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1024:65535 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 6 prefix `TCP Drop: '
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
Chain UDP (1 references)
target prot opt source destination
ACCEPT udp -- 141.30.0.0/16 0.0.0.0/0 state NEW multiport dports 111,137,138,139
ACCEPT udp -- 141.76.0.0/16 0.0.0.0/0 state NEW multiport dports 111,137,138,139
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 123,517,518
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:1024:65535
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 6 prefix `UDP Drop: '
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ipt_hook: happy cracking with 2.6.0-test9-bk7
2003-11-05 7:30 ipt_hook: happy cracking with 2.6.0-test9-bk7 Udo A. Steinberg
@ 2003-11-07 16:44 ` Harald Welte
0 siblings, 0 replies; 2+ messages in thread
From: Harald Welte @ 2003-11-07 16:44 UTC (permalink / raw)
To: Udo A. Steinberg; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]
On Wed, Nov 05, 2003 at 08:30:15AM +0100, Udo A. Steinberg wrote:
>
> [ please CC: me on replies because I'm not subscribed to the netfilter list ]
>
> Hi,
>
> I'm currently running Linux-2.6.0-test9-bk7 compiled with gcc-3.3.2.
> After upgrading from -test9 to -test9-bk7 I'm getting a lot of
>
> ipt_hook: happy cracking.
>
> messages. Google search revealed that this indicates broken packets being
> sent out from the machine - and this is indeed so.
>
> The problem goes away, if I remove all my firewall rules, which looks to me
> as if netfilter's --reject-with is the culprit.
if your firewalls are removed, the respective 'happy cracking' code will
never be run - and thus you'd never get that message.
you could try to tcpdump-capture all outgoing traffic in order to find
out which packets are broken.
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-11-07 16:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-05 7:30 ipt_hook: happy cracking with 2.6.0-test9-bk7 Udo A. Steinberg
2003-11-07 16:44 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.