0.90.[01] packets match rules changed??
Graham Murray
graham@barnowl.demon.co.uk
17 Feb 2000 21:38:50 +0000
Should iptables rules which worked with 0.1.18 still work in 0.90.x
without change? Mine do not seem to work.
Here is the output from iptable -L -v taken while running 0.90.1
Chain INPUT (policy DROP 12 packets, 528 bytes)
pkts bytes target prot opt in out source destination
25 4262 ppp all -- ppp+ any anywhere anywhere
0 0 ACCEPT udp -- lo any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- lo any anywhere anywhere tcp dpt:domain
26 3299 ACCEPT all -- lo any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 51 packets, 4911 bytes)
pkts bytes target prot opt in out source destination
Chain ppp (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere !barnowl.demon.co.ukLOG level alert prefix `bad_dest'
0 0 DROP all -- any any anywhere !barnowl.demon.co.uk
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh Flags:SYN/SYN,RST,ACK
0 0 tcp-fin tcp -- any any anywhere anywhere tcp Flags:FIN,ACK/FIN,SYN,RST,PSH,ACK,URG
0 0 LOG tcp -- any any !194.217.242.0/24 anywhere tcp dpt:smtp Flags:SYN/SYN,RST,ACKLOG level warning prefix `alien_smtp'
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp Flags:SYN/SYN,RST,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:auth Flags:SYN/SYN,RST,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:finger Flags:SYN/SYN,RST,ACK
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssl Flags:SYN/SYN,RST,ACK
0 0 DROP tcp -- any any anywhere anywhere tcp spt:domain dpt:domain
0 0 tcp -- any any anywhere anywhere tcp spt:domain
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:1080 Flags:SYN/SYN,RST,ACKLOG level warning
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:1080 Flags:SYN/SYN,RST,ACK
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:8080 Flags:SYN/SYN,RST,ACKLOG level notice
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:8080 Flags:SYN/SYN,RST,ACK
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1024 Flags:SYN/SYN,RST,ACKLOG level warning
0 0 DROP tcp -- any any anywhere anywhere tcp dpts:0:1024 Flags:SYN/SYN,RST,ACK
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:6000:6010 LOG level alert
0 0 DROP tcp -- any any anywhere anywhere tcp dpts:6000:6010
0 0 LOG tcp -- any any anywhere anywhere state INVALIDLOG level warning prefix `inv_conn'
12 528 LOG tcp -- any any anywhere anywhere state NEWLOG level warning prefix `new_conn'
5 2319 ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
8 1415 ACCEPT udp -- any any anywhere anywhere udp spt:domain
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:4000
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:time
0 0 LOG udp -- any any anywhere anywhere udp dpt:netbios-ns LOG level notice
0 0 DROP udp -- any any anywhere anywhere
0 0 DROP icmp -- any any anywhere anywhere icmp redirect
0 0 ACCEPT icmp -- any any anywhere anywhere
Chain tcp-fin (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere state INVALID,NEW,RELATED
You will notice that 12 packets are caught by the rule which generates
a 'new_conn' log entry. The following entry from my syslog shows one
of these, together with the trace information printed by iptables just
before the log entry. This packet should have been caught by the rule
" 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
Flags:SYN/SYN,RST,ACK" but was not. Under 0.1.xx (xx<=18) smtp
incoming connections are correctly caught by this rule.
Feb 17 21:18:51 barnowl kernel: SRC: 194.217.242.36. Mask: 0.0.0.0. Target: 0.0.0.0.
Feb 17 21:18:51 barnowl kernel: DST: 158.152.23.247 Mask: 255.255.255.255 Target: 158152.23.247. (INV)
Feb 17 21:18:51 barnowl kernel: Source or dest mismatch.
Feb 17 21:18:51 barnowl kernel: SRC: 194.217.242.36. Mask: 0.0.0.0. Target: 0.0.0.0.
Feb 17 21:18:51 barnowl kernel: DST: 158.152.23.247 Mask: 255.255.255.255 Target: 158152.23.247. (INV)
Feb 17 21:18:51 barnowl kernel: Source or dest mismatch.
Feb 17 21:18:51 barnowl kernel: SRC: 194.217.242.36. Mask: 255.255.255.0. Target: 194.217.242.0. (INV)
Feb 17 21:18:51 barnowl kernel: DST: 158.152.23.247 Mask: 0.0.0.0 Target: 00.0.0.
Feb 17 21:18:51 barnowl kernel: new_connIN=ppp0 OUT= MAC=45:00:00:2c SRC=194.217.242.36 DST=158.152.23.247 LEN=44 TOS=0x00 PREC=0x00 TTL=67 ID=51277 DF PROTO=TCP SPT=44540 DPT=25 WINDOW=8760 RES=0x00 SYN URGP=0