more severe error in netfilter-0.1.6
Adam Kumiszcza
Qman@null.net
Sat, 4 Sep 1999 11:21:20 +0200
On Sun, Sep 05, 1999 at 04:19:47AM +0930, Paul Rusty Russell wrote:
> In message <19990903233738.A3873@3net.net.pl> you write:
> > Besides the errors mentioned previously I found the following:
> >
> > Some packets are dropped even if my firewall configuration
> > doesn't drop any packets (I have only -j LOGDROP, where
> > LOGDROP is defined as -j LOG and -j DROP for everything, but
> > there were no packets mentioned in DROP (checked with -L -n -v)).
> > The following is in my syslog:
> > [...]
> > Sep 3 23:21:26 psycho kernel: ip_tables: error: `'
> > Sep 3 23:21:26 psycho kernel: nf_iterate: NF_DROP for c3349e60.
> > [...]
> > (many of these)
>
> iptables has hit the terminal error rule: which implies that libiptc
> screwed up. Please give `iptables -L -vv' output, and the iptables
> commands you ran to create the chain(s).
Ok, here are the commands I used then:
insmod iptables
insmod ipt_LOG
insmod ipt_icmp
insmod ipt_tcp
insmod ipt_udp
iptables -N PPP
iptables -N LOGDROP
iptables -A INPUT -i ppp0 -j PPP
iptables -A PPP -s 10.0.0.0/8 -j LOGDROP
iptables -A PPP -s 127.0.0.0/8 -j LOGDROP
iptables -A PPP -s 192.168.0.0/16 -j LOGDROP
iptables -A PPP -s 172.16.0.0/16 -j LOGDROP
iptables -A PPP -p tcp --dport 25 -j ACCEPT
iptables -A PPP -p tcp --dport 113 -j ACCEPT
iptables -A PPP -s 195.116.50.204 -j ACCEPT
iptables -A PPP -s 195.116.50.3 -j ACCEPT
iptables -A PPP -s 212.160.112.131 -j ACCEPT
iptables -A PPP -s 212.244.102.188 -j ACCEPT
iptables -A PPP -p tcp --dport :1023 -j LOGDROP
iptables -A PPP -p udp --dport :1023 -j LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
(Please don't comment on the rules, these are only for testing)
# iptables -L -n -vv: (sorry for long lines, but it's better seen then)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt tos in out source destination
0 0 PPP all -- 0x00 ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt tos in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt tos in out source destination
Chain PPP (1 references)
pkts bytes target prot opt tos in out source destination
0 0 LOGDROP all -- 0x00 * * 10.0.0.0/8 0.0.0.0/0
0 0 LOGDROP all -- 0x00 * * 127.0.0.0/8 0.0.0.0/0
0 0 LOGDROP all -- 0x00 * * 192.168.0.0/16 0.0.0.0/0
0 0 LOGDROP all -- 0x00 * * 172.16.0.0/16 0.0.0.0/0
0 0 ACCEPT tcp -- 0x00 * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- 0x00 * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 ACCEPT all -- 0x00 * * 195.116.50.204 0.0.0.0/0
0 0 ACCEPT all -- 0x00 * * 195.116.50.3 0.0.0.0/0
0 0 ACCEPT all -- 0x00 * * 212.160.112.131 0.0.0.0/0
0 0 ACCEPT all -- 0x00 * * 212.244.102.188 0.0.0.0/0
0 0 LOGDROP tcp -- 0x00 * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
0 0 LOGDROP udp -- 0x00 * * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
Chain LOGDROP (6 references)
pkts bytes target prot opt tos in out source destination
0 0 LOG all -- 0x00 * * 0.0.0.0/0 0.0.0.0/0 LOG level 4
0 0 DROP all -- 0x00 * * 0.0.0.0/0 0.0.0.0/0
(BTW, -vv doesn't look any different than -v).
I also tried 'iptables -I OUTPUT -j ACCEPT', and although some (all?) of the
packets were dropped, the counter for this rule grew.
Adam Kumiszcza
<Qman@NULL.net>