more severe error in netfilter-0.1.6

Adam Kumiszcza Qman@null.net
Sat, 4 Sep 1999 11:21:20 +0200


On Sun, Sep 05, 1999 at 04:19:47AM +0930, Paul Rusty Russell wrote:
> In message <19990903233738.A3873@3net.net.pl> you write:
> > Besides the errors mentioned previously I found the following:
> > 
> > Some packets are dropped even if my firewall configuration
> > doesn't drop any packets (I have only -j LOGDROP, where
> > LOGDROP is defined as -j LOG and -j DROP for everything, but
> > there were no packets mentioned in DROP (checked with -L -n -v)). 
> > The following is in my syslog:
> > [...] 
> > Sep  3 23:21:26 psycho kernel: ip_tables: error: `'
> > Sep  3 23:21:26 psycho kernel: nf_iterate: NF_DROP for c3349e60.
> > [...]
> > (many of these)
> 
> iptables has hit the terminal error rule: which implies that libiptc
> screwed up.  Please give `iptables -L -vv' output, and the iptables
> commands you ran to create the chain(s).

Ok, here are the commands I used then:

insmod iptables
insmod ipt_LOG
insmod ipt_icmp
insmod ipt_tcp
insmod ipt_udp
iptables -N PPP
iptables -N LOGDROP
iptables -A INPUT -i ppp0 -j PPP
iptables -A PPP -s 10.0.0.0/8 -j LOGDROP                                
iptables -A PPP -s 127.0.0.0/8 -j LOGDROP
iptables -A PPP -s 192.168.0.0/16 -j LOGDROP
iptables -A PPP -s 172.16.0.0/16 -j LOGDROP
iptables -A PPP -p tcp --dport 25 -j ACCEPT                             
iptables -A PPP -p tcp --dport 113 -j ACCEPT                            
iptables -A PPP -s 195.116.50.204 -j ACCEPT
iptables -A PPP -s 195.116.50.3 -j ACCEPT
iptables -A PPP -s 212.160.112.131 -j ACCEPT
iptables -A PPP -s 212.244.102.188 -j ACCEPT
iptables -A PPP -p tcp --dport :1023 -j LOGDROP
iptables -A PPP -p udp --dport :1023 -j LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP

(Please don't comment on the rules, these are only for testing)

# iptables -L -n -vv: (sorry for long lines, but it's better seen then)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt tos  in        out       source                destination
    0     0 PPP        all  --  0x00 ppp0      *          0.0.0.0/0             0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt tos  in        out       source                destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt tos  in        out       source                destination

Chain PPP (1 references)
 pkts bytes target     prot opt tos  in        out       source                destination
    0     0 LOGDROP    all  --  0x00 *         *          10.0.0.0/8            0.0.0.0/0
    0     0 LOGDROP    all  --  0x00 *         *          127.0.0.0/8           0.0.0.0/0
    0     0 LOGDROP    all  --  0x00 *         *          192.168.0.0/16        0.0.0.0/0
    0     0 LOGDROP    all  --  0x00 *         *          172.16.0.0/16         0.0.0.0/0
    0     0 ACCEPT     tcp  --  0x00 *         *          0.0.0.0/0             0.0.0.0/0           tcp dpt:25
    0     0 ACCEPT     tcp  --  0x00 *         *          0.0.0.0/0             0.0.0.0/0           tcp dpt:113
    0     0 ACCEPT     all  --  0x00 *         *          195.116.50.204        0.0.0.0/0
    0     0 ACCEPT     all  --  0x00 *         *          195.116.50.3          0.0.0.0/0
    0     0 ACCEPT     all  --  0x00 *         *          212.160.112.131       0.0.0.0/0
    0     0 ACCEPT     all  --  0x00 *         *          212.244.102.188       0.0.0.0/0
    0     0 LOGDROP    tcp  --  0x00 *         *          0.0.0.0/0             0.0.0.0/0           tcp dpts:0:1023
    0     0 LOGDROP    udp  --  0x00 *         *          0.0.0.0/0             0.0.0.0/0           udp dpts:0:1023

Chain LOGDROP (6 references)
 pkts bytes target     prot opt tos  in        out       source                destination
    0     0 LOG        all  --  0x00 *         *          0.0.0.0/0             0.0.0.0/0           LOG level 4
    0     0 DROP       all  --  0x00 *         *          0.0.0.0/0             0.0.0.0/0

(BTW, -vv doesn't look any different than -v).

I also tried 'iptables -I OUTPUT -j ACCEPT', and although some (all?) of the
packets were dropped, the counter for this rule grew.

Adam Kumiszcza
<Qman@NULL.net>