On December 3, 2004 12:11 pm, Helge Weissig wrote:
> ahhh... finally I see something... but what does it mean???
>
> added the following two log rules:
> $IPTABLES -A PREROUTING -t mangle -j LOG --log-level info --log-prefix 'all
> mangle preroute: ' $IPTABLES -A PREROUTING -t mangle -m conntrack --ctstate
> INVALID -j LOG --log-level info --log-prefix 'contrack mangle preroute: '
>
> the second generates the following error:
> iptables v1.2.6a: Couldn't load match
> `conntrack':/lib/iptables/libipt_conntrack.so: cannot open shared object
> file: No such file or directory
The above error indicates you did not build the conntrack match module and
related iptables code.
>
> the ESP's however now show up in the log (these are nmap generated):
> Dec 3 09:07:23 gollum kernel: all mangle preroute: IN=eth0 OUT=
> MAC=00:90:27:ca:39:56:00:10:67:00:b4:3e:08:00 SRC=vpn.server.ip
> DST=ext.if.ip LEN=20 TOS=0x00 PREC=0x00 TTL=32 ID=56785 PROTO=ESP
> INCOMPLETE [0 bytes]
> Dec 3 09:07:23 gollum kernel: all mangle preroute:
> IN=eth0 OUT= MAC=00:90:27:ca:39:56:00:10:67:00:b4:3e:08:00
> SRC=vpn.server.ip DST=ext.if.ip LEN=20 TOS=0x00 PREC=0x00 TTL=32 ID=7732
> PROTO=ESP INCOMPLETE [0 bytes]
>
It would be nice to have the other packet(s) that went out to initiate this
connection. But it doesn't look good to me -- I *think* that ipt_LOG.c is
saying that the packet structure for the ESP packet is incomplete.
eh = skb_header_pointer(skb, iphoff+ih->ihl*4,
sizeof(_esph), &_esph);
if (eh == NULL) {
printk("INCOMPLETE [%u bytes] ",
skb->len - iphoff - ih->ihl*4);
break;
Not sure how the packet is arriving in the LOG routine without the relevant
data.
Alistair Tonner
RSO HP Unix admin.
> h.
