Packets dropped by iptables

Ow Mun Heng Ow.Mun.Heng at wdc.com
Wed Oct 13 06:41:54 UTC 2004


On Wed, 2004-10-13 at 14:24, Juan L. Pastor wrote:
> On Tue, 2004-10-12 at 21:42, Alexander Dalloz wrote:
> 
> > > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > 
> > You drop all other ICMP types other than echo (=8). That is bad. ICMP is
> > an important protocol and blocking specific types will break things! If
> > you don't know for sure why you block a specific ICMP type then just
> > don't. You gain no security.
> 
> So I guess I should change this line with:
> 
> -A INPUT -p icmp -j ACCEPT
> 
> Is this OK?

Actually I would prefer that ICMP Type 8 is dis-allowed only.

> 
> > > Oct 12 21:18:52 kalimotxo kernel: Bad packet from eth0:IN=eth0 OUT=
> > > MAC=00:50:8d:e3:19:cb:00:90:d0:bc:56:db:08:00 SRC=62.48.113.158
> > > DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=21077 PROTO=TCP
> > > SPT=4662 DPT=36569 WINDOW=0 RES=0x00 ACK RST URGP=0
> > > 
> > > I think these are acknowledge packets, and they should be accepted (BTW,
> > > 4662 is my TCP port for amule). Why are they not accepted by the above
> > > rules (state ESTABLISHED) and how can I accept these dropped packets?
> > 
> > What tells you that these are ESTABLISHED (or RELATED) connections? If
> > they would be, then they would not go to the LOGDROP chain. If running a
> > P2P client such connection attempts are pretty normal. This is how P2P
> > works.
> 
> If this are ACK packets, I assume that they are response to a previously
> established communication. How can I let this packets come into my

Based on the logs, yes they would seem to be ACK packets, but look at
the DST, these are supposed to be NON-routeable addresses 192.168.x.x,
which I think _should_ be rejected.

Unless you are running NAT and you're doing DNAT. (?) are you?

-- 
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive 
Neuromancer 14:38:00 up 5:26, 4 users, load average: 0.87, 0.76, 0.52 




More information about the fedora-list mailing list