[Bug 706] Iptables randomly reject some packets that have accept rule

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Mar 4 12:19:20 CET 2011


http://bugzilla.netfilter.org/show_bug.cgi?id=706





--- Comment #2 from Pier Paolo Orioli <pierpaolo.orioli at gmail.com>  2011-03-04 12:19:20 ---
Hi, I have 4GB of RAM and I'm using 50% of the RAM available, so I don't think
that the problem is memory related.

I'm using CentOS 5.5 so I can't have more recent kernels, maybe I can wait
CentOS 5.6 or CentOS 6 in order to see if the bug is resolved.

Now I changed the ruleset and I no more check for state NEW on the dstport 443,
now i haven't no more packet rejected and the output of iptables-save is:

# Generated by iptables-save v1.3.5 on Fri Mar  4 12:12:40 2011
*nat
:PREROUTING ACCEPT [400212:21715803]
:POSTROUTING ACCEPT [142299:9856790]
:OUTPUT ACCEPT [142299:9856790]
COMMIT
# Completed on Fri Mar  4 12:12:40 2011
# Generated by iptables-save v1.3.5 on Fri Mar  4 12:12:40 2011
*mangle
:PREROUTING ACCEPT [13029733:1988375571]
:INPUT ACCEPT [13029733:1988375571]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12067768:10868389437]
:POSTROUTING ACCEPT [12067768:10868389437]
COMMIT
# Completed on Fri Mar  4 12:12:40 2011
# Generated by iptables-save v1.3.5 on Fri Mar  4 12:12:40 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12067768:10868389437]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p esp -j ACCEPT 
-A RH-Firewall-1-INPUT -p ah -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 446 -m state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9980 -m state --state NEW -j
ACCEPT 
-A RH-Firewall-1-INPUT -s x.x.x.x/255.255.255.0 -p tcp -m tcp --dport 3306 -m
state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -s x.x.x.x/255.255.255.248 -p tcp -m tcp --dport 3306 -m
state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -s x.x.x.x/255.255.255.240 -p tcp -m tcp --dport 3306 -m
state --state NEW -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Fri Mar  4 12:12:40 2011


Thank you


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.



More information about the netfilter-buglog mailing list