You need a conntrack module to enable the RELATED session tracking. Otherwise, how do you suppose iptables knows to open that particular port? -----Original Message----- From: Stéphane Klein [mailto:sklein@xxxxxxxxxxxxxxxxxxx] Sent: Monday, April 07, 2003 1:24 AM To: 'richardo@xxxxxxxxxxxxxxxx' Cc: 'netfilter@xxxxxxxxxxxxxxxxxxx' Subject: RE: sqlnet 8 connexion and iptables 1.2.6a Hi, Thanks for your interest and response. I looked for interesting logs last week, and i found sqlnet in working like this: first, the client connects to the server on 1521 port, second, the server tells client to connect to a random port. At last, the client try to connect to the server, but the port is not opened. I was thinking the related component could help to resolve the problem, but it is not the case. Here are the logs: Apr 4 12:55:26 fw kernel: RULE 0 -- ACCEPT IN=eth0 OUT=eth0 SRC=192.168.0.208 DST=ORACLE-IP LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=463 DF PROTO=TCP SPT=1487 DPT=1521 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 4 12:55:26 fw kernel: RULE 3 -- DROP IN=eth0 OUT=eth0 SRC=192.168.0.208 DST=ORACLE-IP LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=1999 DF PROTO=TCP SPT=1488 DPT=1089 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 4 12:55:36 fw kernel: RULE 3 -- DROP IN= OUT=eth0 SRC=192.168.0.239 DST=192.168.0.208 LEN=72 TOS=0x00 PREC=0xC0 TTL=255 ID=26567 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=ORACLE-IP [SRC=192.168.0.208 DST=ORACLE-IP LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=9423 DF PROTO=TCP SPT=1488 DPT=1089 WINDOW=8192 RES=0x00 SYN URGP=0 ] Apr 4 12:55:36 fw kernel: RULE 3 -- DROP IN=eth0 OUT=eth0 SRC=192.168.0.208 DST=ORACLE-IP LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=9423 DF PROTO=TCP SPT=1488 DPT=1089 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 4 12:55:49 fw kernel: RULE 3 -- DROP IN= OUT=eth0 SRC=192.168.0.239 DST=192.168.0.208 LEN=72 TOS=0x00 PREC=0xC0 TTL=255 ID=26568 PROTO=ICMP TYPE=5 CODE=1 GATEWAY=ORACLE-IP [SRC=192.168.0.208 DST=ORACLE-IP LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=10191 DF PROTO=TCP SPT=1488 DPT=1089 WINDOW=8192 RES=0x00 SYN URGP=0 ] Apr 4 12:55:49 fw kernel: RULE 3 -- DROP IN=eth0 OUT=eth0 SRC=192.168.0.208 DST=ORACLE-IP LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=10191 DF PROTO=TCP SPT=1488 DPT=1089 WINDOW=8192 RES=0x00 SYN URGP=0 192.168.0.239 is an ip of the firewall, 208 is the client. regards Stephane -----Message d'origine----- De : richardo@xxxxxxxxxxxxxxxx [mailto:richardo@xxxxxxxxxxxxxxxx] Envoyé : lundi 7 avril 2003 09:58 À : Stéphane Klein Objet : RE: sqlnet 8 connexion and iptables 1.2.6a Hi Stephane, The rules below look as though they do allow RELATED and ESTABLISHED packets back through the firewall ... there are some logging rules, are you getting any relevant information in the log files ? Regards, Richard. Richard Oatridge Head of IT, Start-global Ltd http://www.start-global.com tel : +44 1564 779297 email : richardo@xxxxxxxxxxxxxxxx |--------+-----------------------------------> | | Stéphane Klein | | | <sklein@xxxxxxxxxxxxxxxxx| | | fr> | | | Sent by: | | | netfilter-admin@xxxxxxxxx| | | filter.org | | | | | | | | | 04/04/2003 13:06 | | | | |--------+-----------------------------------> >--------------------------------------------------------------------------- ----------------------------------------------| | | | To: "'richardo@xxxxxxxxxxxxxxxx'" <richardo@xxxxxxxxxxxxxxxx> | | cc: "'netfilter@xxxxxxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxxxxxx> | | Subject: RE: sqlnet 8 connexion and iptables 1.2.6a | >--------------------------------------------------------------------------- ----------------------------------------------| iptables -L gives me: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED RULE_1 all -- oracle_srv_ip anywhere state NEW RULE_2 all -- 192.168.0.41 anywhere state NEW RULE_3 all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED RULE_0 icmp -- anywhere oracle_srv_ip icmp type 8 code 0 state NEW RULE_0 tcp -- anywhere oracle_srv_ip tcp dpt:1521 state NEW RULE_1 all -- oracle_srv_ip anywhere state NEW RULE_2 all -- 192.168.0.41 anywhere state NEW RULE_3 all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED RULE_0 icmp -- anywhere 194.250.29.100 icmp type 8 code 0 state NEW RULE_0 tcp -- anywhere 194.250.29.100 tcp dpt:1521 state NEW RULE_3 all -- anywhere anywhere Chain RULE_0 (4 references) target prot opt source destination LOG all -- anywhere anywhere LOG level debug prefix `RULE 0 -- ACCEPT ' ACCEPT all -- anywhere anywhere Chain RULE_1 (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 1 -- ACCEPT ' ACCEPT all -- anywhere anywhere Chain RULE_2 (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 2 -- ACCEPT ' ACCEPT all -- anywhere anywhere Chain RULE_3 (3 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 3 -- DROP ' DROP all -- anywhere anywhere -----Message d'origine----- De : richardo@xxxxxxxxxxxxxxxx [mailto:richardo@xxxxxxxxxxxxxxxx] Envoyé : vendredi 4 avril 2003 13:51 À : Stéphane Klein Objet : Re: sqlnet 8 connexion and iptables 1.2.6a Hi Stephane, Are you allowing RELATED and ESTABLISHED packets back through the firewall ? if not, it may solve the problem .... Regards, Richard. Richard Oatridge Head of IT, Start-global Ltd http://www.start-global.com tel : +44 1564 779297 email : richardo@xxxxxxxxxxxxxxxx
