On Tuesday 2011-11-15 04:07, John A. Sullivan III wrote: >Hello, all. I find myself perplexed by what I often see in our logs. >At the end of our FORWARD chain, we log drops for no matches: > >[root@fw01 log]# iptables -v -n -L FORWARD >Chain FORWARD (policy DROP 528K packets, 85M bytes) > pkts bytes target prot opt in out source >destination > 16M 925M TCPMSS tcp -- * * 0.0.0.0/0 >0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU >2284M 1690G ACCEPT all -- * * 0.0.0.0/0 >0.0.0.0/0 state RELATED,ESTABLISHED >7890K 594M VPN_ALLOW all -- * * 0.0.0.0/0 >0.0.0.0/0 MARK match 0xcccc/0xcccc > 27M 2609M UPEPIN_DENY all -- * * 0.0.0.0/0 >0.0.0.0/0 > 27M 2609M UPEPIN all -- * * 0.0.0.0/0 >0.0.0.0/0 > 528K 85M LOG all -- * * 0.0.0.0/0 >0.0.0.0/0 LOG flags 0 level 4 prefix `No Match: ' > >However, my logs are always showing these drops for packets I know >should be matched in conntrack: > >Nov 14 18:45:51 fw01 kernel: No Match: IN=bond4 OUT=bond3 SRC=172.x.y.34 >DST=194.187.105.194 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=48910 DF >PROTO=TCP SPT=25 DPT=60261 WINDOW=4 As always, post the *full* ruleset, and do so by using iptables-save. Do *NOT* use -L. The use of TCPMSS is generally not needed either - if you do, you are likely to be wrongly blocking ICMP. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html