mysterious dropped echo replies

Sertys sertys at supportivo.org
Wed Jun 1 14:50:35 CEST 2005 

On Tue, 31 May 2005 10:42:36 +0200, Udo Rader <udo.rader at bestsolution.at>  
wrote:

Those are illegal packets:
> DROP IN= OUT=eth1 SRC=192.168.100.240 DST=192.168.100.10 LEN=28 TOS=0x00
> PREC=0x00 TTL=64 ID=32153 PROTO=ICMP TYPE=0 CODE=0 ID=45639 SEQ=0
There's no type0&code0 combination.


> Hi,
>
> I am stuck with a strange phenonemon where iptables drops packages it
> (probably) shouldn't.
>
> The dropped packages are logged like this:
>
> DROP IN= OUT=eth1 SRC=192.168.100.240 DST=192.168.100.10 LEN=28 TOS=0x00
> PREC=0x00 TTL=64 ID=32153 PROTO=ICMP TYPE=0 CODE=0 ID=45639 SEQ=0
>
> So that means that this is about an icmp echo reply, originating from
> 192.168.100.240, pending to be sent through its internal interface
> (eth1) and destined to 192.168.100.10.
>
> It is completely mysterious to me where this reply comes from, but
> that's not all.
>
> Each of the two hosts involved can ping each other and in the case of a
> ping, iptables does not drop any packages.
>
> If I shut down 192.168.100.10 (a box within the DMZ), it doesn't take
> long until iptables starts to drop packages destined to other boxes in
> the DMZ.
>
> One of the first rules in my iptables setup is this:
>
> iptables -A INPUT -s 192.168.100.0/24 -m state --state NEW -j ACCEPT
> iptables -A OUTPUT -s 192.168.100.0/24 -m state --state NEW -j ACCEPT
> iptables -A FORWARD -s 192.168.100.0/24 -m state --state NEW -j ACCEPT
>
> For the internal interface this is the first rule:
>
> iptables -A INPUT -i eth1 -s 192.168.100.0/24 -d 192.168.100.0/24 -m
> state --state NEW -j ACCEPT
> iptables -A FORWARD  -i eth1 -s 192.168.100.0/24 -d 192.168.100.0/24 -m
> state --state NEW -j ACCEPT
> iptables -A OUTPUT -o eth1 -s 192.168.100.0/24 -d 192.168.100.0/24 -m
> state --state NEW -j ACCEPT
> iptables -A FORWARD -o eth1 -s 192.168.100.0/24 -d 192.168.100.0/24 -m
> state --state NEW -j ACCEPT
>
> The rule that drops the package is the very last one (the 'catch all')
> rule.
>
> This is something new, because I haven't changed the iptaples setup for
> quite some time, so if anybody has any guess on what's going on here.
>
> Udo Rader
>
> BestSolution.at GmbH
> http://www.bestsolution.at



-- 
www.supportivo.org

I can't stop myself checking for pigs in the outlets. Everybody thinks i'm  
a punk, cause of the hairstyle(220V).
end

More information about the netfilter mailing list