From: ratheesh k <ratheesh.ksz@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: multicast packets
Date: Fri, 26 Feb 2010 14:52:23 +0530 [thread overview]
Message-ID: <cfeab66d1002260122o2b0cca06u6bd759c440e00cdb@mail.gmail.com> (raw)
In-Reply-To: <201002260820.06236.christoph.paasch@gmail.com>
>>>>>>>>>>>>Looking a little bit in the source-code it seems that it installs a route
True . it installs multicast route { /prox/net/ip_mr_cache }.
But route comes into play only at POSTROUTING hook . { after reaching
box } .Since i dont have any rule in INPUT to accept those ,it should
be rejected .
You confirmed that IGMP wont go to ESTABLISHED state . I think , i
have to debug more .
On Fri, Feb 26, 2010 at 12:50 PM, Christoph Paasch
<christoph.paasch@gmail.com> wrote:
> I don't know the details about igmpproxy.
> Looking a little bit in the source-code it seems that it installs a route
> inside in the kernel for a certain multicast-stream.
> Thus, multicast-udp will pass your gateway as they don't hit the INPUT chain.
>
> However for the igmp-control traffic I have no idea, why igmpproxy receives
> these.
>
> Christoph
>
> On Fri 26 February 2010, ratheesh k wrote:
>> I am running igmp stream client to stream igmp packets on machine A
>> from internet .I can play files .
>>
>> note : Is igmpproxy running machine B has anything to do with this ?
>>
>>
>>
>> On Fri, Feb 26, 2010 at 12:11 PM, Christoph Paasch
>>
>> <christoph.paasch@gmail.com> wrote:
>> > On Fri 26 February 2010, ratheesh k wrote:
>> >> INPUT policy is DROP
>> >> FORWARD policy is DROP
>> >> OUTPUT policy is accept
>> >>
>> >>
>> >> INPUT chain
>> >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> >> iptables -A INPUT -i eth0 -j ACCEPT
>> >>
>> >>
>> >> FORWARD
>> >> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> >> iptables -A INPUT -i eth0 -o eth1 -j ACCEPT
>> >
>> > I imagine that this is a typo and that you meant the FORWARD chain.
>> >
>> >> machine Gateway machine B
>> >> A -------------------->eth0 eth1 -------------> internet
>> >>
>> >> I have a machine A . which is connected to a linux gateway machine .
>> >> Ruleset and policy mentioned are for machine B . There is no iptables
>> >> rules in machine A .
>> >>
>> >> >>>>>>>>>What do you want to achieve ?
>> >>
>> >> As per the current rule , no igmp packet should come to GATEWAY
>> >> machine , since there is no firewall hole in input chain .
>> >>
>> >> >>>>>>>>>>what are you observing?
>> >>
>> >> But i can see , igmp packets flowing into machine B from internet .
>> >
>> > Where can you see these igmp packets? With wireshark/tcpdump? If it is
>> > one of those, than it is normal, because these capture the packets
>> > before the iptables filter.
>> >
>> > Seen your ruleset, the packets should not enter, if they are coming from
>> > the internet.
>> >
>> > Regards,
>> > Christoph
>> >
>> >> On Fri, Feb 26, 2010 at 4:46 AM, Christoph Paasch
>> >>
>> >> <christoph.paasch@gmail.com> wrote:
>> >> > Please, provide more information about your setup.
>> >> >
>> >> > What are the policies of your chains? What is your ruleset?
>> >> > What is your topology?
>> >> > What do you want to achieve, and what are you observing?
>> >> >
>> >> > Christoph
>> >> >
>> >> > On Thu 25 February 2010 wrote ratheesh k:
>> >> >> iptables -A INPUT -m state --state ESTABLISHED,RELATES -j ACCEPT .
>> >> >>
>> >> >> This is the only rule . No firewall hole for igmp packets .
>> >> >>
>> >> >> On Thu, Feb 25, 2010 at 12:08 PM, ratheesh k <ratheesh.ksz@gmail.com>
>> >
>> > wrote:
>> >> >> >>>>>>>>>>udp doesn't go into the established state.
>> >> >> >
>> >> >> > I am running "igmpproxy" on my gateway box . I didnot add any rule
>> >> >> > in INPUT chain to accept igmp packets . But i hve a rule to
>> >> >> > accept all ESTABLISHED state packets . It am able to stream igmp
>> >> >> > from my desktop .
>> >> >> >
>> >> >> > I really believe that " We dont need any rule in FORWARD chain " .
>> >> >> > Because packets are flowing from node to node and routed . So only
>> >> >> > INPUT and OUTPUT chains are involved .
>> >> >> >
>> >> >> > Thanks,
>> >> >> > Ratheesh
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Thu, Feb 25, 2010 at 12:03 AM, Christoph Paasch
>> >> >> >
>> >> >> > <christoph.paasch@gmail.com> wrote:
>> >> >> >> As long as there isn't any return-traffic (as it is the case for
>> >> >> >> multicast- udp), udp doesn't go into the established state.
>> >> >> >>
>> >> >> >> Regards,
>> >> >> >> Christoph
>> >> >> >>
>> >> >> >> On Wed 24 February 2010 wrote ratheesh k:
>> >> >> >>> multicast packets are udp packets . But its flowing only from
>> >> >> >>> upstream to downstream . So packet state will be always "NEW" .
>> >> >> >>> ??
>> >> >> >>>
>> >> >> >>> my question is : whether we can see multicast data packets in
>> >> >> >>> ESTABLISHED state ??
>> >> >> >>>
>> >> >> >>> Thanks,
>> >> >> >>> Ratheesh
>> >> >> >>> --
>> >> >> >>> To unsubscribe from this list: send the line "unsubscribe
>> >> >> >>> netfilter" in the body of a message to majordomo@vger.kernel.org
>> >> >> >>> More majordomo info at
>> >> >> >>> http://vger.kernel.org/majordomo-info.html
>> >> >> >>
>> >> >> >> --
>> >> >> >> Christoph Paasch
>> >> >> >>
>> >> >> >> Alcatel-Lucent
>> >> >> >> IP Development
>> >> >> >>
>> >> >> >> www.rollerbulls.be
>> >> >> >> --
>> >> >> >> --
>> >> >> >> To unsubscribe from this list: send the line "unsubscribe
>> >> >> >> netfilter" in the body of a message to majordomo@vger.kernel.org
>> >> >> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> >> >>
>> >> >> --
>> >> >> To unsubscribe from this list: send the line "unsubscribe netfilter"
>> >> >> in the body of a message to majordomo@vger.kernel.org
>> >> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> >> >
>> >> > --
>> >> > Christoph Paasch
>> >> >
>> >> > Alcatel-Lucent
>> >> > IP Development
>> >> >
>> >> > www.rollerbulls.be
>> >> > --
>> >>
>> >> --
>> >> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> >> the body of a message to majordomo@vger.kernel.org
>> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> >
>> > --
>> > Christoph Paasch
>> >
>> > Alcatel-Lucent
>> > IP Development
>> >
>> > www.rollerbulls.be
>> > --
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> --
> Christoph Paasch
>
> Alcatel-Lucent
> IP Development
>
> www.rollerbulls.be
> --
>
next prev parent reply other threads:[~2010-02-26 9:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-24 14:43 multicast packets ratheesh k
2010-02-24 18:33 ` Christoph Paasch
2010-02-25 6:38 ` ratheesh k
2010-02-25 6:39 ` ratheesh k
2010-02-25 17:52 ` ratheesh k
2010-02-25 23:16 ` Christoph Paasch
2010-02-26 5:17 ` ratheesh k
2010-02-26 6:41 ` Christoph Paasch
2010-02-26 6:50 ` ratheesh k
2010-02-26 7:20 ` Christoph Paasch
2010-02-26 9:22 ` ratheesh k [this message]
2010-03-23 11:27 ` ratheesh k
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfeab66d1002260122o2b0cca06u6bd759c440e00cdb@mail.gmail.com \
--to=ratheesh.ksz@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.