From: "C. L. Martinez" <carlopmart@gmail.com>
To: netfilter@vger.kernel.org
Subject: Problems with a forward rule
Date: Fri, 11 May 2012 17:04:51 +0200 [thread overview]
Message-ID: <CAEjQA5JVsMUizFWODGe+OT88owqbPU0=ZjtRugq6Eg8z1U3A=w@mail.gmail.com> (raw)
Hi all,
I have setup the following rules in a centos6 gateway:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
6 300 TCPFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0
6 300 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 DROP all -- * * 240.0.0.0/5
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
10.196.129.255
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW icmp type 8 limit: avg 1/sec burst 1
0 0 SSH tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `IPT INPUT packet died:
'
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 172.24.50.3
0.0.0.0/0 state NEW
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `IPT FORWARD packet
died: '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
6 300 TCPFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0
6 300 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `IPT OUTPUT packet
died: '
Chain BADFLAGS (8 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `IPT TCPFLAGS: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain SSH (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 1
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `IPT SSH connection too
fast: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain TCPFLAGS (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID LOG flags 0 level 4 prefix `IPT
INVALID: '
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with
tcp-reset
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x11/0x01
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x18/0x08
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x30/0x20
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x05/0x05
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 BADFLAGS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
All works ok, except when I try to restrict one host to go out via
external interface. My problem is with the following rule:
0 0 ACCEPT all -- * * 172.24.50.3
0.0.0.0/0 state NEW
If I try to restrict destination, doesn't works. For example using this rule:
iptables -A FORWARD -s 172.24.50.3 -d 1.1.1.0/24 -m state --state NEW -j ACCEPT
only works if I do:
iptables -A FORWARD -s 172.24.50.3 -m state --state NEW -j ACCEPT
then, what am I doing wrong??
next reply other threads:[~2012-05-11 15:04 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-11 15:04 C. L. Martinez [this message]
2012-05-12 15:47 ` Problems with a forward rule Jan Engelhardt
2012-05-12 20:53 ` Tom van Leeuwen
2012-05-14 5:45 ` C. L. Martinez
2012-05-14 6:33 ` Tom van Leeuwen
2012-05-14 6:40 ` C. L. Martinez
2012-05-14 7:03 ` Tom van Leeuwen
2012-05-14 7:06 ` C. L. Martinez
2012-05-14 7:24 ` Tom van Leeuwen
2012-05-14 16:47 ` carlopmart
2012-05-14 7:26 ` Neal Murphy
2012-05-14 8:18 ` C. L. Martinez
2012-05-14 17:55 ` Neal Murphy
2012-05-14 19:35 ` carlopmart
2012-05-14 21:12 ` Neal Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEjQA5JVsMUizFWODGe+OT88owqbPU0=ZjtRugq6Eg8z1U3A=w@mail.gmail.com' \
--to=carlopmart@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.