Hi John, 2011-11-15 04:07 keltezéssel, John A. Sullivan III írta:
Hello, all. I find myself perplexed by what I often see in our logs. At the end of our FORWARD chain, we log drops for no matches: [root@fw01 log]# iptables -v -n -L FORWARD Chain FORWARD (policy DROP 528K packets, 85M bytes) pkts bytes target prot opt in out source destination 16M 925M TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 2284M 1690G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 7890K 594M VPN_ALLOW all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0xcccc/0xcccc 27M 2609M UPEPIN_DENY all -- * * 0.0.0.0/0 0.0.0.0/0 27M 2609M UPEPIN all -- * * 0.0.0.0/0 0.0.0.0/0 528K 85M LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `No Match: '
The above shows SMTP, LDAP, and memcached replies which should have been accepted. Why would I see this?
I do not know what kind of rules do you have between the "RELATED,ESTABLISHED" and the "LOG/DROP" rules, but I do not see any "conntrak NEW" rule there... And as far as I can tell, your UPEPIN_DENY chain does not get any hit... (If that chain ment to deny any unwanted traffic.)
To answer your question: You see those logs becaus the packets are: - not "RELATED" or "ESTABLISHED", - not filtered in the VPN_ALLOW chain, (not marked with 0xcccc) - not droped in the UPEPIN_DENY chain, - not accepter the UPEPIN chain... These packets can be: a, "NEW'", b, "INVALID", c, "UNTRACKED", and none of them are "ACCEPT"-ed... :D Swifty -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
