Re: where are my udp packets going?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

sean darcy a écrit :


I was able to shut down the 76. machine, reboot the server, and it worked.


Hmm, shut down or reboot was a bit overkill.
My server does NOT generate 4569 packets, and iptables INPUT drops all from eth0, except for ssh and ESTABLISHED. So how could there be a conntrack entry?
The DROP target prevents a packet from creating a new conntrack entry. However I suppose there was a sort of race condition with incoming packets, conntrack activation, default policy definition and rule creation.
If the conntrack module is loaded before a DROP rule is created in the filter/INPUT chain or its policy is set to DROP, then an incoming packet could create the bogus conntrack entry. The conntrack module can be autoloaded by many ways including : 
- loading a conntrack or NAT helper module,
- creating a rule using a match or target that requires conntrack (state, conntrack, connmark, CONNMARK...) - loading the nat table, which may be caused by creating a rule in one of its chains, defining the default policy of one of its chains or just flushing one of its chains. 
So conntrack may be enabled sooner that you think.

Check the order in which the following operations happen at startup :
- load conntrack/NAT modules {ip,nf}_{conntrack,nat}*
- define iptables default policies in the nat and filter tables
- create or flush iptables rules in the nat and filter tables
- enable network interfaces
Is there a way to DNAT traffic before it reaches the conntrack entry? 

No, because NAT requires conntrack.


Can I change the destination in raw/PREROUTING?
No. All you can do in raw/PREROUTING is DROP or mark packets in the UNTRACKED state with the NOTRACK target so the conntrack won't see them. By the way I guess that adding a temporary rule matching the IAX traffic from 76.x.x.x in this chain until the related conntrack entry expires would have done the trick too, without having to put machines offline. 


Is there a way to flush the conntrack entry?
Yes, with the conntrack utility from the conntrack-tools package. If you distro does not ship it, you can get it from the netfilter site. 
<http://www.netfilter.org/projects/conntrack-tools/index.html>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux