Packets dropped by iptables
Ow Mun Heng
Ow.Mun.Heng at wdc.com
Wed Oct 13 08:14:59 UTC 2004
On Wed, 2004-10-13 at 15:47, Juan L. Pastor wrote:
> On Wed, 2004-10-13 at 08:41, Ow Mun Heng wrote:
> > Actually I would prefer that ICMP Type 8 is dis-allowed only.
>
> So the right rules should be:
>
> - A INPUT -p icmp -m icmp --icmp-type 8 -j LOGDROP
> - A INPUT -p icmp -j ACCEPT
I guess that would be OK
>
> > > If this are ACK packets, I assume that they are response to a previously
> > > established communication. How can I let this packets come into my
> >
> > Based on the logs, yes they would seem to be ACK packets, but look at
> > the DST, these are supposed to be NON-routeable addresses 192.168.x.x,
> > which I think _should_ be rejected.
> >
> > Unless you are running NAT and you're doing DNAT. (?) are you?
>
> My linux box (192.168.1.2) is connected through an ADSL router
> (192.168.1.1, internal IP) so I guess it is OK to let them come into my
> box. How can I manage that?
Ah... You didn't mention that earlier..
In that case, then you will have to manage your ADSL router instead.
(that is, if your ADSL router is doing the packet filtering, which I
think it is.)
your Linux box will _never_, repeat _never_ see any packets not already
allowed by the router. (presuming it's doing it's job)
What you need to do is to do port-forwarding on your router to permit
packets or rather to route packets to the p2p software.
That's what that call Destination NAT (DNAT)
What's your router box? I don't have much experience with a hardware
router. All I use are Linux IPTables/Shorewall boxes.
--
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive
Neuromancer 16:11:18 up 7:00, 7 users, load average: 0.60, 0.65, 0.70
More information about the fedora-list
mailing list