On 01.02.2010 09:13, netfilter-owner@xxxxxxxxxxxxxxx wrote: > Hello, > >> Can you see "RULE 17"? > > > Rule 17 is the final deny everything else rule. > Rule 15 is the one which should allow everything "local" on the firewall > > # > # Rule 15 (global) > # > echo "Rule 15 (global)" > # > # > # > $IPTABLES -N Cid4A4A84F123430.0 > $IPTABLES -A INPUT -s myip -m state --state NEW -j Cid4A4A84F123430.0 > $IPTABLES -A INPUT -s 127.0.0.1 -m state --state NEW -j > Cid4A4A84F123430.0 > $IPTABLES -A Cid4A4A84F123430.0 -d myip -j ACCEPT > $IPTABLES -A Cid4A4A84F123430.0 -d 127.0.0.1 -j ACCEPT > $IPTABLES -N Cid4A4A84F123430.1 > $IPTABLES -A OUTPUT -s myip -m state --state NEW -j Cid4A4A84F123430.1 > $IPTABLES -A OUTPUT -s 127.0.0.1 -m state --state NEW -j > Cid4A4A84F123430.1 > $IPTABLES -A Cid4A4A84F123430.1 -d myip -j ACCEPT > $IPTABLES -A Cid4A4A84F123430.1 -d 127.0.0.1 -j ACCEPT > > > > # > # Rule 17 (global) > # > echo "Rule 17 (global)" > # > # > # > $IPTABLES -N RULE_17 > $IPTABLES -A OUTPUT -j RULE_17 > $IPTABLES -A INPUT -j RULE_17 > $IPTABLES -A RULE_17 -j LOG --log-level info --log-prefix "RULE 17 -- DENY > " --log-tcp-sequence --log-tcp-options --log-ip-options > $IPTABLES -A RULE_17 -j DROP > > > As we normaly can connect, but just a few random connection don't work, > I assume that there is some timeout or some entries flushed somewhere in > the filter stuff. > > > André shot in the dark, try to insert into rule 17: $IPTABLES -I RULE_17 -o lo -m state --state INVALID -j LOG \ --log-level info --log-prefix "RULE 17 -- INVALID" --log-tcp-sequence \ --log-tcp-options --log-ip-options and see if it matches the other logged packets. if so, these packets are classified as invalid by the connection tracker. best regards Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
