On Sat, Jun 16, 2012 at 1:20 PM, sreejith menon
<sreejithjmenon@xxxxxxxxx> wrote:
> Hi,
>
>> This is not correct syntax but should illustrate the pieces needed for the
>> single rule you want:
>> -A FORWARD -i eth0 \
>> -source range 172.31.114.1-172.31.114.254 \
>> -dest range 10.2.2.1-10.2.2.254 \
>> -protocol tcp \
>> -destport 22 \
>> -m state --state NEW \
>> -j DROP
>
>
I have further narrowed down the problem. I added a single rule in
FORWARD Chain to reject ssh packets from 172.31.114.239 to 10.2.2.5 to
REJECT instead of DROP
iptables -nvL
Chain INPUT (policy ACCEPT 15 packets, 1260 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 172.31.114.239
10.2.2.5 tcp dpt:22 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 13 packets, 1316 bytes)
pkts bytes target prot opt in out source destination
Observation
-----------------
1) ssh from 172.31.114.239 to 10.2.2.5 - ssh rejected with icmp port
unreachable once. Counter increased by 1.
2) Again ssh from 172.31.114.239 to 10.2.2.5 - ssh dropped but no icmp
port unreachable received. Counter not increased.
3) ftp from 172.31.114.239 to 10.2.2.5 - ftp dropped and no Counter
got increased.
Another test scenario
--------------------------------
Instead of forwarding i decided to apply the same scenario to the INPUT rule
iptables -nvL
Chain INPUT (policy ACCEPT 23 packets, 1820 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 172.31.114.239
172.31.114.253 tcp dpt:22 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17 packets, 2116 bytes)
pkts bytes target prot opt in out source destination
Observation
------------------
1. ssh packets from 172.31.114.239 to 172.31.114.253 always rejected.
Counter always increased.
2. No problem with the ftp packets ie always allowed.
Summary of Observation
------------------------------------
There seems to be some drop problem with different ports in Forward
Chain. Input chain works fine.
Since the DROP counter are not increased for tcp packets, i feel like
all tcp packets are getting dropped once the drop rule is hit.
If either source or destination ip changes ie ssh/ftp to a different
machine with the same set of rules in FORWARD chain, it is allowed.
thanks and regards
sreejith
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
