The module I write seems to have conflict with iptables

Zheng Da zhengda1936 at gmail.com
Mon Jul 30 21:25:28 CEST 2007


Jan Engelhardt wrote:
> On Jul 29 2007 21:36, Zheng Da wrote:
>   
>>>   
>>>       
>>>> I write a module based on netfilter. It is proposed to be used
>>>> in the filter router, is hooked on FORWARD point, and has the
>>>> lowest priority, NF_IP_PRI_LAST. It does the following things:
>>>> When it finds TCP connection from the client to the server, it
>>>> will pretend as the server to build the connection with the
>>>> client. It blocks the SYN and ACK packets from the client, and
>>>> sends a UDP packet to the server, which can force the server
>>>> build the TCP connection with the client.
>>>>     
>>>>         
>>> It is almost impossible to help without seeing code.
>>>
>>>   
>>>       
>> Sorry, I'm just thinking whether the way of my module working may
>> make connection track not work correctly. OK. This is my code. A
>> little big.
>>     
>
> Quite a lot of code, I'd say, so I could not look through all of it.
> I suspect that NF_IP_PRI_LAST and NF_IP_PRI_FIRST may have problematic 
> effects. You could try NF_IP_PRI_FILTER+1 (instead of LAST), and
> NF_IP_PRI_FILTER-1 (instead of FIRST).
>
>
>
> 	Jan
>   
I finally find the problem. The problem is not caused by my module, but 
my configuration of iptables.
The original configuration is:
iptables -F
iptables -X
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -j ACCEPT                         
<------------------change this line
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --dport 22 -m state --state 
ESTABLISHED,NEW -j ACCEPT
If I change the line for the device of eth1 to
iptables -A FORWARD -i eth1 -j ACCEPT -m state --state 
ESTABLISHED,RELATED,NEW
It works.
The problem is what is the difference between
iptables -A FORWARD -i eth1 -j ACCEPT
and
iptables -A FORWARD -i eth1 -j ACCEPT -m state --state 
ESTABLISHED,RELATED,NEW.
I check ip_conntrack in Router, the connections between Client and 
Server are assured in both configurations.
I use Wireshark to capture the packets when in the original 
configuration. I put the result in the attachment.
externel: the packets between Client and Router
internal: the packets between Router and Server
Does anyone have any idea?

Best,
Zheng Da
-------------- next part --------------
A non-text attachment was scrubbed...
Name: external
Type: application/octet-stream
Size: 32792 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20070729/e59d9b59/external-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: internal
Type: application/octet-stream
Size: 30993 bytes
Desc: not available
Url : /pipermail/netfilter-devel/attachments/20070729/e59d9b59/internal-0001.obj


More information about the netfilter-devel mailing list