From: Paul Bryan (firstname.lastname@example.org)
- Previous message: Tomasz Popik: "Spam stopping"
- In reply to: Victor Batista: "Iptables...."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Bryan <email@example.com> To: firstname.lastname@example.org, "Victor Batista" <email@example.com> Date: Fri, 31 Jan 2003 12:08:45 +1100
On Tuesday 28 January 2003 07:29, Victor Batista wrote:
> My firewall has a rule that protects against new connections
> without the syn flag. I am logging this rejected packets.
> I am observing lots of these packets being dropped, with
> origin in one my servers. The Origin port is 80. I am also listening on
> port 80 on this machine (Apache). Are these connection attempts being
> made by apache, or can them be originated by a different program? If it
> is Apache, what is the reason?
> Jan 27 20:07:00 firewall kernel: Firewall LOG-IN=eth1
> OUT=eth0 SRC=192.168.1.253 DST=XXX.XXX.XXX.XXX LEN=468 TOS=0x00
> PREC=0x00 TTL=63 ID=15690 DF PROTO=TCP SPT=80 DPT=11723 WINDOW=31740
> RES=0x00 ACK PSH URGP=0
This packet is being sent by apache a response to come client connection from
the looks. What are your rules for matching against new connections without
the syn flag? I suspect you may have a problem with your rules.
> I am using DNAT. The packets which are addressed to DNATed
> machines pass through the INPUT->OUTPUT chains, right? Or do they pass
> by the FORWARD chain?
Anything not addressed to the local machine passes through the forward chain.
When using DNAT, the destination address is re-written as it comes in. This
is part of the pre-routing table.
This means that if the address is rewritten to a different machine than the
local host (which I'm assuming it is otherwise you wouldn't be needing
DNAT!), it will traverse the filter table through the forward chain. It does
not traverse either the input or output chains of the filter table. These are
only for packets destined for the local host (input) or packets originating
from the local host (output).
There seems to be a lot of confusion about iptables and how things work. This
is really suprising, because the howto's at www.iptables.org are really very
clear and describe all of this in detail. I recommend anyone who runs
iptables read the filter howto and the NAT howto.
To unsubscribe email firstname.lastname@example.org
with "unsubscribe" in the subject of the message.