RE: iptables not prevent access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: netfilter-owner@xxxxxxxxxxxxxxx
> [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Rob Sterenborg
> Sent: Monday, September 15, 2008 3:34 PM
> To: netfilter@xxxxxxxxxxxxxxx
> Subject: RE: iptables not prevent access
>
> Is there a rule that would accept the http packet before it
> would hit this rule?

Actually, this is the only rule that exists in the server.

> Place a LOG rule identical to the REJECT rule in front of it
> and look in your messages log if it hits:
>
> $ipt -A INPUT -i eth0 -s 13.121.8.119 -p tcp --dport 80 -j LOG \
>   --log-level info --log-prefix "IPT: TEST: "
> $ipt -A INPUT -i eth0 -s 13.121.8.119 -p tcp --dport 80 -j REJECT

We don't have "ipt" command, only "iptables" command, and "iptables --help" shows it doesn't support a option of "--log-level"
=====================================
GUMP:/tmp/nvram <45> iptables -A INPUT -i eth0 -s 13.121.8.119 -p tcp --dport 80 -j LOG  --log-level info --log-prefix "IPT: TEST: "
iptables v1.2.8: Unknown arg `--log-level'
Try `iptables -h' or 'iptables --help' for more information.
=====================================

> If it doesn't hit, either the rule is incorrect (for what you
> want it to do) or another rule has already accepted the packet.

What's strange is that, when I run the same command to other machines, say 13.121.8.120, the http access is successfully rejected. Does that mean something wrong with the network configuration of the machine 13.121.8.119? What is the possible cause of that behavior?

Another thing is quite strange, when capturing network trace from and to 13.121.8.119, I can't find any packet associated with the server which runs "iptables" command. However, when I was capturing network trace from and to 13.121.8.120 (which was successfully blocked), I can see some network packets associated with the server.

Got confused...

> Grts,
> Rob
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux