On Fri 26 February 2010, ratheesh k wrote: > INPUT policy is DROP > FORWARD policy is DROP > OUTPUT policy is accept > > > INPUT chain > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -i eth0 -j ACCEPT > > > FORWARD > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -i eth0 -o eth1 -j ACCEPT I imagine that this is a typo and that you meant the FORWARD chain. > > machine Gateway machine B > A -------------------->eth0 eth1 -------------> internet > > I have a machine A . which is connected to a linux gateway machine . > Ruleset and policy mentioned are for machine B . There is no iptables > rules in machine A . > > >>>>>>>>>What do you want to achieve ? > > As per the current rule , no igmp packet should come to GATEWAY > machine , since there is no firewall hole in input chain . > > >>>>>>>>>>what are you observing? > > But i can see , igmp packets flowing into machine B from internet . Where can you see these igmp packets? With wireshark/tcpdump? If it is one of those, than it is normal, because these capture the packets before the iptables filter. Seen your ruleset, the packets should not enter, if they are coming from the internet. Regards, Christoph > On Fri, Feb 26, 2010 at 4:46 AM, Christoph Paasch > > <christoph.paasch@xxxxxxxxx> wrote: > > Please, provide more information about your setup. > > > > What are the policies of your chains? What is your ruleset? > > What is your topology? > > What do you want to achieve, and what are you observing? > > > > Christoph > > > > On Thu 25 February 2010 wrote ratheesh k: > >> iptables -A INPUT -m state --state ESTABLISHED,RELATES -j ACCEPT . > >> > >> This is the only rule . No firewall hole for igmp packets . > >> > >> On Thu, Feb 25, 2010 at 12:08 PM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote: > >> >>>>>>>>>>udp doesn't go into the established state. > >> > > >> > I am running "igmpproxy" on my gateway box . I didnot add any rule in > >> > INPUT chain to accept igmp packets . But i hve a rule to accept all > >> > ESTABLISHED state packets . It am able to stream igmp from my desktop > >> > . > >> > > >> > I really believe that " We dont need any rule in FORWARD chain " . > >> > Because packets are flowing from node to node and routed . So only > >> > INPUT and OUTPUT chains are involved . > >> > > >> > Thanks, > >> > Ratheesh > >> > > >> > > >> > > >> > On Thu, Feb 25, 2010 at 12:03 AM, Christoph Paasch > >> > > >> > <christoph.paasch@xxxxxxxxx> wrote: > >> >> As long as there isn't any return-traffic (as it is the case for > >> >> multicast- udp), udp doesn't go into the established state. > >> >> > >> >> Regards, > >> >> Christoph > >> >> > >> >> On Wed 24 February 2010 wrote ratheesh k: > >> >>> multicast packets are udp packets . But its flowing only from > >> >>> upstream to downstream . So packet state will be always "NEW" . ?? > >> >>> > >> >>> my question is : whether we can see multicast data packets in > >> >>> ESTABLISHED state ?? > >> >>> > >> >>> Thanks, > >> >>> Ratheesh > >> >>> -- > >> >>> To unsubscribe from this list: send the line "unsubscribe netfilter" > >> >>> in the body of a message to majordomo@xxxxxxxxxxxxxxx > >> >>> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> >> > >> >> -- > >> >> Christoph Paasch > >> >> > >> >> Alcatel-Lucent > >> >> IP Development > >> >> > >> >> www.rollerbulls.be > >> >> -- > >> >> -- > >> >> To unsubscribe from this list: send the line "unsubscribe netfilter" > >> >> in the body of a message to majordomo@xxxxxxxxxxxxxxx > >> >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe netfilter" in > >> the body of a message to majordomo@xxxxxxxxxxxxxxx > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > > Christoph Paasch > > > > Alcatel-Lucent > > IP Development > > > > www.rollerbulls.be > > -- > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Christoph Paasch Alcatel-Lucent IP Development www.rollerbulls.be -- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
