Re: CentOS 5.2 + iptables + memcached Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

OK, here are the original (stateful) rules reinstated:

IPTABLES -A INPUT  -i bond0 -p tcp -m tcp  -s 192.168.1.0/24  -d
192.168.1.0/24  --dport 11211  -m state --state NEW  -j ACCEPT
IPTABLES -A FORWARD  -i bond0 -p tcp -m tcp  -s 192.168.1.0/24  -d
192.168.1.0/24  --dport 11211  -m state --state NEW  -j ACCEPT
IPTABLES -A OUTPUT  -o bond0 -p tcp -m tcp  -s 192.168.1.0/24  -d
192.168.1.0/24  --dport 11211  -m state --state NEW  -j ACCEPT
IPTABLES -A FORWARD  -o bond0 -p tcp -m tcp  -s 192.168.1.0/24  -d
192.168.1.0/24  --dport 11211  -m state --state NEW  -j ACCEPT

And here's a sampling of iptables dropping packets with stateful rules in place:

s1 kernel: DROP -- Catch All: IN=bond0 OUT= SRC=192.168.1.2
DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=6467 DF PROTO=TCP
SPT=51837 DPT=11211 WINDOW=202 RES=0x00 ACK FIN URGP=0
s1 kernel: DROP -- Catch All: IN=bond0 OUT= SRC=192.168.1.2
DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=9158 DF PROTO=TCP
SPT=50690 DPT=11211 WINDOW=339 RES=0x00 ACK FIN URGP=0
s1 kernel: DROP -- Catch All: IN=bond0 OUT= SRC=192.168.1.4
DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=22155 DF PROTO=TCP
SPT=53800 DPT=11211 WINDOW=113 RES=0x00 ACK FIN URGP=0
s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1
DST=192.168.1.3 LEN=1369 TOS=0x00 PREC=0x00 TTL=64 ID=17238 DF
PROTO=TCP SPT=58539 DPT=11211 WINDOW=501 RES=0x00 ACK PSH URGP=0
s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1
DST=192.168.1.3 LEN=1086 TOS=0x00 PREC=0x00 TTL=64 ID=49105 DF
PROTO=TCP SPT=49535 DPT=11211 WINDOW=501 RES=0x00 ACK PSH URGP=0

Any ideas?

On Fri, Dec 12, 2008 at 3:10 PM, Art Age Software <artagesw@xxxxxxxxx> wrote:
> Thanks for your reply. I originally had stateful rules in place and
> packets were being dropped. I had just switched to stateless rules in
> an attempt to fix the problem.
>
> I will go back to stateful and update this thread with the new log messages.
>
> Thanks.
>
> Sam
>
> On Fri, Dec 12, 2008 at 2:33 PM, Filipe Brandenburger
> <filbranden@xxxxxxxxx> wrote:
>> Hi,
>>
>> On Fri, Dec 12, 2008 at 15:45, Art Age Software <artagesw@xxxxxxxxx> wrote:
>>> IPTABLES -A XXX  -i bond0 -p tcp -m tcp  -s 192.168.1.0/24  -d
>>> 192.168.1.0/24  --dport 11211  -j ACCEPT
>>
>>> Dec 12 20:33:53 s1 kernel: DROP -- Catch All: IN= OUT=bond0
>>> SRC=192.168.1.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0
>>> DF PROTO=TCP SPT=11211 DPT=47567 WINDOW=0 RES=0x00 RST URGP=0
>>
>> The packages it's dropping are with *source* port 11211, they are the replies.
>>
>> Either configure your firewall in stateful mode (-m state, --state
>> NEW, --state ESTABLISHED, etc.) or add rules to allow the replies from
>> that source port.
>>
>> HTH,
>> Filipe
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux