From: ratheesh k <ratheesh.ksz@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: multicast packets
Date: Fri, 26 Feb 2010 10:47:24 +0530 [thread overview]
Message-ID: <cfeab66d1002252117p3ecaba32l265f102d0e61a43b@mail.gmail.com> (raw)
In-Reply-To: <201002260016.03945.christoph.paasch@gmail.com>
> >>What are the policies of your chains?
INPUT policy is DROP
FORWARD policy is DROP
OUTPUT policy is accept
>> What is your ruleset?
INPUT chain
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
FORWARD
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -o eth1 -j ACCEPT
>>>>>>>> What is your topology?
machine Gateway machine B
A -------------------->eth0 eth1 -------------> internet
I have a machine A . which is connected to a linux gateway machine .
Ruleset and policy mentioned are for machine B . There is no iptables
rules in machine A .
>>>>>>>>>What do you want to achieve ?
As per the current rule , no igmp packet should come to GATEWAY
machine , since there is no firewall hole in input chain .
>>>>>>>>>>what are you observing?
But i can see , igmp packets flowing into machine B from internet .
Thanks,
Ratheesh
On Fri, Feb 26, 2010 at 4:46 AM, Christoph Paasch
<christoph.paasch@gmail.com> wrote:
> Please, provide more information about your setup.
>
> What are the policies of your chains? What is your ruleset?
> What is your topology?
> What do you want to achieve, and what are you observing?
>
> Christoph
>
>
> On Thu 25 February 2010 wrote ratheesh k:
>> iptables -A INPUT -m state --state ESTABLISHED,RELATES -j ACCEPT .
>>
>> This is the only rule . No firewall hole for igmp packets .
>>
>> On Thu, Feb 25, 2010 at 12:08 PM, ratheesh k <ratheesh.ksz@gmail.com> wrote:
>> >>>>>>>>>>udp doesn't go into the established state.
>> >
>> > I am running "igmpproxy" on my gateway box . I didnot add any rule in
>> > INPUT chain to accept igmp packets . But i hve a rule to accept all
>> > ESTABLISHED state packets . It am able to stream igmp from my desktop
>> > .
>> >
>> > I really believe that " We dont need any rule in FORWARD chain " .
>> > Because packets are flowing from node to node and routed . So only
>> > INPUT and OUTPUT chains are involved .
>> >
>> > Thanks,
>> > Ratheesh
>> >
>> >
>> >
>> > On Thu, Feb 25, 2010 at 12:03 AM, Christoph Paasch
>> >
>> > <christoph.paasch@gmail.com> wrote:
>> >> As long as there isn't any return-traffic (as it is the case for
>> >> multicast- udp), udp doesn't go into the established state.
>> >>
>> >> Regards,
>> >> Christoph
>> >>
>> >> On Wed 24 February 2010 wrote ratheesh k:
>> >>> multicast packets are udp packets . But its flowing only from
>> >>> upstream to downstream . So packet state will be always "NEW" . ??
>> >>>
>> >>> my question is : whether we can see multicast data packets in
>> >>> ESTABLISHED state ??
>> >>>
>> >>> Thanks,
>> >>> Ratheesh
>> >>> --
>> >>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> >>> the body of a message to majordomo@vger.kernel.org
>> >>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> >>
>> >> --
>> >> Christoph Paasch
>> >>
>> >> Alcatel-Lucent
>> >> IP Development
>> >>
>> >> www.rollerbulls.be
>> >> --
>> >> --
>> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> >> the body of a message to majordomo@vger.kernel.org
>> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> Christoph Paasch
>
> Alcatel-Lucent
> IP Development
>
> www.rollerbulls.be
> --
>
next prev parent reply other threads:[~2010-02-26 5:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-24 14:43 multicast packets ratheesh k
2010-02-24 18:33 ` Christoph Paasch
2010-02-25 6:38 ` ratheesh k
2010-02-25 6:39 ` ratheesh k
2010-02-25 17:52 ` ratheesh k
2010-02-25 23:16 ` Christoph Paasch
2010-02-26 5:17 ` ratheesh k [this message]
2010-02-26 6:41 ` Christoph Paasch
2010-02-26 6:50 ` ratheesh k
2010-02-26 7:20 ` Christoph Paasch
2010-02-26 9:22 ` ratheesh k
2010-03-23 11:27 ` ratheesh k
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfeab66d1002252117p3ecaba32l265f102d0e61a43b@mail.gmail.com \
--to=ratheesh.ksz@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.