Bug in FORWARD chain in iptables-1.2.7a with Linux kernel 2.4.20?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have the following configuration:

INTERNET
|
Firewall (Linux box with IPTables)
|
Router (Linux box with IPTables)


The default policy in the FORWARD chain in the Firewall is set to DROP
packets. So, I have to insert a rule for every traffic I want to accept.

The Router logs all traffic:

iptables --append INPUT   -j LOG --log-level debug --log-prefix "IPTABLES
LOG INPUT "
iptables --append FORWARD -j LOG --log-level debug --log-prefix "IPTABLES
LOG FORWARD "
iptables --append OUTPUT  -j LOG --log-level debug --log-prefix "IPTABLES
LOG OUTPUT "


I don't have any rule in the Firewall which ACCEPT traffic to the Router.
But, when I try to access the Router from INTERNET, the Router will log that
packet which the Firewall should DROP!!!

If I try to ping the router from INTERNET, the Router will log:

Jun 23 15:01:23 Router kernel: IPTABLES FILTER DROP INPUT IN=eth0 OUT=
MAC=XX SRC=A-HOST DST=Router PROTO=ICMP
8
Jun 23 15:01:23 Router kernel: IPTABLES FILTER DROP OUTPUT IN= OUT=eth0
SRC=Router DST=A-HOST PROTO=ICMP


It gets even more strange if I also log the traffic which the Firewall
should DROP, i.e. last rule in the FORWARD chain on the Firewall is:

iptables --append -j LOG --log-level debug --log-prefix "IPTABLES DROP
FORWARD "

The Firewall will log:

Jun 23 15:07:59 Firewall kernel: IPTABLES DROP FORWARD IN=eth3 OUT=eth0
SRC=Router DST=A-HOST PROTO=ICMP

eth0 is connected to INTERNET and eth3 is connected to the Router. Shouldn't
it be the other way around? The Firewall should of course DROP this packet
(the default policy is to DROP packets).


What could be wrong? Do I have to upgrade to the latest version of iptables
and the Linux kernel?


Yours sincerely,

Christian Ericsson



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux