iptables leaking blocked ip addresses.
terry l. ridder
artisticforge at gmail.com
Mon Jun 20 18:01:25 CEST 2005
hello;
reply below.
On 6/20/05, Jan Engelhardt <jengelh at linux01.gwdg.de> wrote:
>
> >at the 2nd lines of defenses the following is seen:
> >
> >date and time is utc.
> >
> >2005-06-18 08:20:38.310864 IP 200.221.11.147.29937 >
> >204.238.34.206.25: R 0:0(0) win 0
>
> This looks to me like tcpdump output. As far as I understand, the "listener"
> (used by iptraf, tcpdump, etc.) listens before iptables does it works, so you
> always see packets. - even those which are to be DROPed.
>
the tcpdump capture is on the mail server, 204.238.34.206 and *_not_* on
the firewall, 204.238.34.232.
>
> Take a client connected to eth2 and listen on the eth2 bus. There should not
> be anything.
>
the tcpdump output is on the mail server, 204.238.34.206.
those packets are being seen on the internal network.
i agree there should not be any 200.0.0.0/8 packets on the internal network
but there are. therefore, iptables is leaking.
>
> >2005-06-18 08:35:33.035504 IP 200.221.11.147.9618 > 204.238.34.206.25:
> >R 3184482893:3184482893(0) win 64240
> >2005-06-18 09:12:47.772699 IP 200.221.11.147.37399 >
> >204.238.34.206.25: R 0:0(0) win 0
>
>
> Jan Engelhardt
>
--
terry l. ridder ><>
More information about the netfilter
mailing list