Thanks again Jason,
I totally agree with your points about specify
IN, OUT and SYN
Now with some -j LOG i can see the packet going
into OUTPUT with eth1 as dst interface
Now it gets into my anti-spoof rule :
Aug 11 13:20:17 natasha kernel: firewall::OUT_IP_CHECK IN= OUT=eth1
SRC=sql.se.rv.er DST=192.168.0.149 LEN=40 TOS=0x00
PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=445 DPT=3394 WINDOW=0 RES=0x00 ACK
RST URGP=0
If i open this rule, i can see the packet adressed to 192.168.0.149
sent on eth1 (WAN) with tcpdump.
Any other ideas ?
Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau
----- Original Message -----
From: "Jason Opperisano" <Jopperisano@xxxxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, August 11, 2004 12:30 PM
Subject: RE: Question about REJECT in FORWARD rule
> I attached output of iptables, y.y.y. is my WAN IP range and x.x.x. is a
> range
> outside. Problematic REJECT rule can be found in FORWARD chain.
upon further review--i think you'd be best to only match that rule on SYN
packets, in addition to specifying the inbound interface. something along
the lines of:
-A FORWARD -i $INTERNAL_IF -p tcp --syn -d $SQL_SERVER --dport 445 -j
REJECT --reject-with tcp-reset
since the rule you're using according to:
Chain FORWARD (policy DROP 1 packets, 58 bytes)
pkts bytes target prot opt in out source
destination
0 0 REJECT tcp -- * * 0.0.0.0/0
sql.se.rv.er tcp dpt:445 reject-with tcp-reset
is not narrowing down the interface/source, and is hit before any connection
tracking occurs. i've never used "-j REJECT --reject-with tcp-reset"
without also specifying "--syn" as it could have very odd results (and also
doesn't make sense from a TCP perspective)...
you should be able to test this from a client on the internal network by
just typing "telnet <sql.srv.ip.addr> 445" and making sure you get back
"Connection refused" instead of a timeout.
-j
