On Tuesday 2011-11-15 04:07, John A. Sullivan III wrote:
>Hello, all. I find myself perplexed by what I often see in our logs.
>At the end of our FORWARD chain, we log drops for no matches:
>
>[root@fw01 log]# iptables -v -n -L FORWARD
>Chain FORWARD (policy DROP 528K packets, 85M bytes)
> pkts bytes target prot opt in out source
>destination
> 16M 925M TCPMSS tcp -- * * 0.0.0.0/0
>0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
>2284M 1690G ACCEPT all -- * * 0.0.0.0/0
>0.0.0.0/0 state RELATED,ESTABLISHED
>7890K 594M VPN_ALLOW all -- * * 0.0.0.0/0
>0.0.0.0/0 MARK match 0xcccc/0xcccc
> 27M 2609M UPEPIN_DENY all -- * * 0.0.0.0/0
>0.0.0.0/0
> 27M 2609M UPEPIN all -- * * 0.0.0.0/0
>0.0.0.0/0
> 528K 85M LOG all -- * * 0.0.0.0/0
>0.0.0.0/0 LOG flags 0 level 4 prefix `No Match: '
>
>However, my logs are always showing these drops for packets I know
>should be matched in conntrack:
>
>Nov 14 18:45:51 fw01 kernel: No Match: IN=bond4 OUT=bond3 SRC=172.x.y.34
>DST=194.187.105.194 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48910 DF
>PROTO=TCP SPT=25 DPT=60261 WINDOW=4
As always, post the *full* ruleset, and do so by using iptables-save. Do
*NOT* use -L.
The use of TCPMSS is generally not needed either - if you do, you are
likely to be wrongly blocking ICMP.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
