iptables help needed
François Patte
francois.patte at math-info.univ-paris5.fr
Wed Jun 4 17:31:15 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Le 04.06.2008 14:05, Simon Slater a écrit :
| On Wed, 2008-06-04 at 10:05 +0200, François Patte wrote:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> Le 04.06.2008 01:03, Simon Slater a écrit :
|>
|
|>
| These are the type of logs now. None of these are appearing in timeing
| with requests to the Internet from the laptop:
|
| [root at ipex ~]# tail /var/log/messages
| Jun 4 21:41:35 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
| SRC=203.185.178.251 DST=59.101.218.205 LEN=48 TOS=0x00 PREC=0x00 TTL=104
| ID=5893 DF PROTO=TCP SPT=63507 DPT=26958 WINDOW=8192 RES=0x00 SYN URGP=0
| Jun 4 21:41:38 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
| SRC=203.185.178.251 DST=59.101.218.205 LEN=48 TOS=0x00 PREC=0x00 TTL=104
| ID=5938 DF PROTO=TCP SPT=63507 DPT=26958 WINDOW=8192 RES=0x00 SYN URGP=0
Someone in Tahiti is scanning your computer.... No danger though!
| [root at ipex ~]#
|
| However, when request to the Internet from the desktop:
|
| Jun 4 21:59:31 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
| SRC=59.101.218.205 DST=203.63.53.112 LEN=60 TOS=0x00 PREC=0x00 TTL=64
| ID=3672 DF PROTO=TCP SPT=48673 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
no problem here: evry packet excaping from your desktop uses the
"postrouting" chain.... And is logged by the rule.
What is strange: we never see any request from the laptop: we should see
some logged packets with SRC=laptop IP (192.168.0.6 as you said). What
is the IP of eth0 on yor desktop? (ifconfig -a)
|
| [root at ipex ~]# lsmod | grep -i masquerade
| ipt_MASQUERADE 7873 1
| ip_nat 22253 2 ipt_MASQUERADE,iptable_nat
| ip_conntrack 56993 6
|
ip_conntrack_ftp,ip_conntrack_netbios_ns,ipt_MASQUERADE,iptable_nat,ip_nat,xt_state
| x_tables 18501 12
|
ipt_MASQUERADE,iptable_nat,xt_state,ip_tables,xt_multiport,ip6_tables,xt_mark,xt_MARK,ipt_LOG,ipt_REJECT,ip6t_REJECT,xt_tcpudp
OK
| [root at ipex ~]#
|
| Should this give something else?
|
| [root at ipex ~]# netstat -M
| netstat: no support for `ip_masquerade' on this system.
I think that this is a deprecated option or that it doesn't work with
iptables... maybe some backward compatibility with ipchains....
- --
François Patte
UFR de mathématiques et informatique
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)1 44 55 35 61
http://www.math-info.univ-paris5.fr/~patte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFIRtFjdE6C2dhV2JURApK2AKDThwdMxsghOdBc6m+qLVCmR8t8gACghXI1
/OuB0PNT6PcCLvglTsfGzbw=
=x69t
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list