Hi all, This is part of my iptables -L -n -v. Please note that tcp packets are not rejected but dropped by the reject rule. But counters say they're rejected. This is the rule I use: iptables -A INPUT -p 6 -s 0/0 --sport 1024: -d xxx.xxx.xx.xx --dport 25 -i $waneth -j REJECT --reject-with tcp-reset 3 144 LOG all -- eth1 * 0/0 0/0 LOG flags 0 level 4 prefix `INPUT: ' 3 144 REJECT tcp -- eth1 * 0/0 xxx.xxx.xx.xx tcp spts:1024:65535 dpt:25 reject-with tcp-reset 0 0 DROP all -- eth1 * 0/0 0/0 As you can see the drop rule doesn't count any packets. But packets are dropped. Please see iptraf below: 212.254.101.100:23822 = 3 144 S--- eth1 xxx.xxx.xx.xx:25 = 0 0 ---- eth1 If working with tcp-reset I'd rather expect something like this: 212.254.101.100:23824 = 1 48 S--- eth1 xxx.xxx.xx.xx:25 = 1 40 RESET eth1 this is made manually by stopping smtpd but leaving the ports open for connection. Thank you for any help. Philipp
On Saturday 06 October 2001 21:27, Philipp Snizek wrote:
Hi all,
This is part of my iptables -L -n -v. Please note that tcp packets are not rejected but dropped by the reject rule. But counters say they're rejected. This is the rule I use: iptables -A INPUT -p 6 -s 0/0 --sport 1024: -d xxx.xxx.xx.xx --dport 25 -i $waneth -j REJECT --reject-with tcp-reset
3 144 LOG all -- eth1 * 0/0 0/0 LOG flags 0 level 4 prefix `INPUT: ' 3 144 REJECT tcp -- eth1 * 0/0 xxx.xxx.xx.xx tcp spts:1024:65535 dpt:25 reject-with tcp-reset 0 0 DROP all -- eth1 * 0/0 0/0
As you can see the drop rule doesn't count any packets. But packets are dropped. Please see iptraf below: 212.254.101.100:23822 = 3 144 S--- eth1 xxx.xxx.xx.xx:25 = 0 0 ---- eth1
If working with tcp-reset I'd rather expect something like this: 212.254.101.100:23824 = 1 48 S--- eth1 xxx.xxx.xx.xx:25 = 1 40 RESET eth1
Do you have any OUTPUT rules that prevent the reset packets from leaving your box ? Maybe you have to allow them by an explicit rule like this: iptables -t filter -A OUTPUT -o eth1 -s x.x.x.x --sport 25 -p tcp --tcp-flags SYN,FIN,RST RST -j ACCEPT Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
Do you have any OUTPUT rules that prevent the reset packets from leaving your box ? Maybe you have to allow them by an explicit rule like this: iptables -t filter -A OUTPUT -o eth1 -s x.x.x.x --sport 25 -p tcp --tcp-flags SYN,FIN,RST RST -j ACCEPT
Thanx, that was the solution to the problem. Philipp
Andreas Baetz
********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Andreas Baetz -
Philipp Snizek