[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Iptables....

On Tuesday 28 January 2003 07:29, Victor Batista wrote:
> Hello!
>             My firewall has a rule that protects against new connections
> without the syn flag. I am logging this rejected packets.
>             I am observing lots of these packets being dropped, with
> origin in one my servers. The Origin port is 80. I am also listening on
> port 80 on this machine (Apache). Are these connection attempts being
> made by apache, or can them be originated by a different program? If it
> is Apache, what is the reason?
>             Jan 27 20:07:00 firewall kernel: Firewall LOG-IN=eth1
> PREC=0x00 TTL=63 ID=15690 DF PROTO=TCP SPT=80 DPT=11723 WINDOW=31740

This packet is being sent by apache a response to come client connection from 
the looks. What are your rules for matching against new connections without 
the syn flag? I suspect you may have a problem with your rules.

>             I am using DNAT. The packets which are addressed to DNATed
> machines pass through the INPUT->OUTPUT chains, right? Or do they pass
> by the FORWARD chain?

Anything not addressed to the local machine passes through the forward chain. 
When using DNAT, the destination address is re-written as it comes in. This 
is part of the pre-routing table.

This means that if the address is rewritten to a different machine than the 
local host (which I'm assuming it is otherwise you wouldn't be needing 
DNAT!), it will traverse the filter table through the forward chain. It does 
not traverse either the input or output chains of the filter table. These are 
only for packets destined for the local host (input) or packets originating 
from the local host (output).

There seems to be a lot of confusion about iptables and how things work. This 
is really suprising, because the howto's at www.iptables.org are really very 
clear and describe all of this in detail. I recommend anyone who runs 
iptables read the filter howto and the NAT howto.

     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.

[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux