Re: what is blocking packets before netfilter?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Is tcpd enabled, does your system have a /etc/hosts.deny file, or  a 
> hosts.allow that is populated?

No, and afaiu, they shouldn't matter at netfilter level.

> Is there a DSL router, or other 
> router/intelligent hub with an integrated firewall in it infront of or 
> behind the iptables firewall?  Could your ISP be blocking ICMP traffic?

The packets are getting to the box. tcpdump sees them, iptables don't.

Thanks,
HoraPe


> Ron DuFresne
> 
> On Sun, 6 Mar 2005, Horacio [iso-8859-1] J. Peña wrote:
> 
> >I have:
> >
> ># iptables -L -n -t mangle -v
> >Chain INPUT (policy ACCEPT 19862 packets, 1603K bytes)
> >pkts bytes target     prot opt in     out     source               
> >destination
> >   0     0 LOG        all  --  eth0   *       192.168.2.0/24       
> >   0.0.0.0/0           LOG flags 0 level 4
> >
> ># iptables -L -n -t filter -v
> >Chain INPUT (policy ACCEPT 17061 packets, 1410K bytes)
> >pkts bytes target     prot opt in     out     source               
> >destination
> >   0     0 LOG        all  --  eth0   *       192.168.2.0/24       
> >   0.0.0.0/0           LOG flags 0 level 4
> >
> ># tcpdump -nvvvpe icmp
> >tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 
> >bytes
> >15:44:34.189337 00:08:a1:6c:39:00 > 00:0a:e6:2d:90:77, ethertype IPv4 
> >(0x0800), length 98: IP (tos 0x0, ttl64, id 1016, offset 0, flags [DF], 
> >length: 84) 192.168.2.1 > 10.5.0.1: icmp 64: echo request seq 63491
> >
> >00:0a:e6:2d:90:77 is my MAC.
> >
> >/proc/sys/net/ipv4/conf/*/rp_filter are 0.
> >/proc/sys/net/ipv4/conf/*/forwarding are 1.
> >
> >What could be eating the packets? Shouldn't iptables see anything that 
> >comes to the interface?
> >
> >Thanks,
> >					HoraPe
> >---
> >Horacio J. Peña
> >horape@xxxxxxxxxxxxxxxxx
> >horape@xxxxxxxxxx
> >
> >
> 
> - -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> 
> ...Love is the ultimate outlaw.  It just won't adhere to rules.
> The most any of us can do is sign on as it's accomplice.  Instead
> of vowing to honor and obey, maybe we should swear to aid and abet.
> That would mean that security is out of the question.  The words
> "make" and "stay" become inappropriate.  My love for you has no
> strings attached.  I love you for free...
>                         -Tom Robins <Still Life With Woodpecker>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFCKn99st+vzJSwZikRAohTAKC1rYIlSjBXqJwywaJIovA/+ahYpACfYtlv
> JA1L3qlbYZ6WmmEMwFIAxYw=
> =PK99
> -----END PGP SIGNATURE-----


-- 
					HoraPe
---
Horacio J. Peña
horape@xxxxxxxxxxxxxxxxx
horape@xxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux