On Sun, May 2, 2010 7:05 am, Gary Smith wrote: >> Now I can get it to work only by commenting out the last line (iptables >> -A INPUT -j DROP). But that defies the purpose of a firewall, doesn't >> it? >> What the heck happened last afternoon?? >> > > Logging helps... > > prior to the drop, do a log > > iptables -A INPUT -j LOG --log-prefix "FW: " > iptables -A FORWARD -j LOG --log-prefix "FW: " > iptables -A OUTPUT -j LOG --log-prefix "FW: " > > Then tail the log file and see what is hitting the drop rule. From there, > poke any additional holes necessary. > > Thanks Gary. I went ahead with your suggestion but I still can't seem to figure out where the problem is. For example, this is me trying to ping google.com from the shell: [220040.098711] FW: IN= OUT=eth1 SRC=MYPUBIP DST=72.14.234.104 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=871 SEQ=14 [...] [220040.342816] FW: IN=eth0 OUT= MAC=00:03:47:42:5c:17:00:04:ed:99:2c:fb:08:00 SRC=72.14.234.104 DST=MYPUBIP LEN=84 TOS=0x00 PREC=0x00 TTL=53 ID=48058 PROTO=ICMP TYPE=0 CODE=0 ID=871 SEQ=14 It all seems to be pretty kosher (except for the fact that the packets are being dropped).. -JK -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
