Re: iptables - external IP address on internal interface?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2011-04-20 at 13:19 +0100, Tony Rogers wrote:
> If I'm interpreting this correctly:
> 
> 212.118.226.91 is trying to connect to 192.168.0.168 ?
> 

Not really "trying to connect", it's just a packet of data, so it could
be the reply to a connection already initiated.

> Or is this some kind of reverse logic, and 192.168.0.168 is actually
>  connecting to 212.118.226.91 on port 80? If so, why would the log
>  entry be reversed?

I suspect that it is the *reply* packets. So your local client (.168)
opens a connection to port 80 on the remote server (.91) and then the
remote server sends a reply back which are the packets that you are
seeing below.

> However, there is no rule that permits inbound connections of this nature.
> 

Well if you don't allow *any* packets in, then you will only have a one
way connection, which is pretty useless...

Are you sure you don't have a rule to allow ESTABLISHED connections back
in?

> And (more worryingly) the connection appears to be sourced from eth0 (internal interface).
> 

I'd expect them to go OUT on the internal interface. Which chain are you
logging the packets in? If it's POSTROUTING, then I'd expect IN to be
blank - not sure why it is also eth0 - maybe your version of iptables.

> 
> Apr 20 11:21:52 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=115 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> Apr 20 11:21:59 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=116 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> Apr 20 11:22:04 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=117 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> Apr 20 11:22:23 statler kernel: OUTPUT IN=eth0 OUT=eth0 SRC=212.118.226.91 DST=192.168.0.168 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=118 DF PROTO=TCP SPT=80 DPT=2011 WINDOW=0 RES=0x00 RST URGP=0
> 
> Does this make sense to any of you gurus out there?
> 

Well I'm not a guru... but yes it does make sense, except for both the
IN and OUT being the same.

Try logging in the PREROUTING and FORWARD chains as well, and you should
see the interfaces change.

Andy


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux