> Hi, > > I have these rules in my iptables script (iptables -L -v -n): > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > 16955 5070K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > > 35895 278M out_lan all -- * eth0 0.0.0.0/0 0.0.0.0/0 > > 16M 3830M out_internet all -- * ppp0 x.x.x.x 0.0.0.0/0 > > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > state RELATED > > 26649 1534K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 level 4 prefix `OUT-unknown:' > > 28209 1621K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 > > > (where x.x.x.x is my ip), and yet these packets are being logged: > > ... OUT-unknown:IN= OUT=ppp0 SRC=x.x.x.x DST=y.y.y.y LEN=60 TOS=0x00 PREC=0x00 > TTL=64 ID=45650 DF PROTO=TCP SPT=43257 DPT=4662 WINDOW=4383 RES=0x00 SYN > URGP=0 > > surely this should match rule 3 (src=x.x.x.x, out=ppp0) and be handled by > out_internet? it probably does. the question is: does the packet actually match anything in "out_internet?" if it doesn't, the packet will continue on down the list until it hits your log rule. show us: iptables -vnL out_internet -j
