Re: what is blocking packets before netfilter?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Is tcpd enabled, does your system have a /etc/hosts.deny file, or a hosts.allow that is populated? Is there a DSL router, or other router/intelligent hub with an integrated firewall in it infront of or behind the iptables firewall? Could your ISP be blocking ICMP traffic?


Thanks,

Ron DuFresne

On Sun, 6 Mar 2005, Horacio [iso-8859-1] J. Peña wrote:

I have:

# iptables -L -n -t mangle -v
Chain INPUT (policy ACCEPT 19862 packets, 1603K bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4

# iptables -L -n -t filter -v
Chain INPUT (policy ACCEPT 17061 packets, 1410K bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           LOG flags 0 level 4

# tcpdump -nvvvpe icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:44:34.189337 00:08:a1:6c:39:00 > 00:0a:e6:2d:90:77, ethertype IPv4 (0x0800), length 98: IP (tos 0x0, ttl64, id 1016, offset 0, flags [DF], length: 84) 192.168.2.1 > 10.5.0.1: icmp 64: echo request seq 63491

00:0a:e6:2d:90:77 is my MAC.

/proc/sys/net/ipv4/conf/*/rp_filter are 0.
/proc/sys/net/ipv4/conf/*/forwarding are 1.

What could be eating the packets? Shouldn't iptables see anything that comes to the interface?

Thanks,
					HoraPe
---
Horacio J. Peña
horape@xxxxxxxxxxxxxxxxx
horape@xxxxxxxxxx



- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCKn99st+vzJSwZikRAohTAKC1rYIlSjBXqJwywaJIovA/+ahYpACfYtlv
JA1L3qlbYZ6WmmEMwFIAxYw=
=PK99
-----END PGP SIGNATURE-----
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux