|
I'm occasionally seeing lines like the following,
always to the same machine which is on my internal network:
Apr 11 01:11:52 linux kernel: Rejected output by
default:IN= OUT=eth0 SRC="" DST=192.168.1.151 LEN=40 TOS=0x00
PREC=0x00 TTL=64 ID=30662 DF PROTO=TCP SPT=993 DPT=3736 WINDOW=6432 RES=0x00 ACK
FIN URGP=0
This corresponds to a LOG and then a DROP
rule. So I set up Ethereal to capture the
packet trace. I didn't see the packet there, so I changed the DROP to an
ACCEPT, assuming that iptables is probably dropping the outbound packet before
Ethereal (ok, libpcap) can see it.
The weird thing is - even with just a LOG/ACCEPT
rule, the packet is STILL missing from Ethereal's trace! All other packets
from that time frame are there, but this particular one isn't. Could
iptables be imagining it somehow? I'm using libpcap 0.7.2, which was
current till a few days ago... I've done an iptables --list OUTPUT and
verified that the last item on the OUTPUT chain is an ACCEPT of all packets,
although the default policy is still technically DROP.
Any clues?
Jay Levitt
|
