Re: iptables dropping multicast packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Sep 16, 2016 at 05:32:02PM -0700, Robert Watson wrote:
> I'm having trouble with iptables filtering out multicast ssdp 
> packets I created a custom MULTICAST chain to help debug but I'm 
> still getting dropped input multicast packets.

Are you?  I don't think so.

> Here is my iptables....
> # Generated by iptables-save v1.4.21 on Thu Sep 15 22:26:20 2016
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :MULTICAST - [0:0]
> -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-tcp-options --log-ip-options
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT ! -s 10.20.30.0/24 -i lan -j LOG --log-prefix "SPOOFED PKT "
> -A INPUT ! -s 10.20.30.0/24 -i lan -j DROP

You're fine up to here.

> -A INPUT ! -i lo -j LOG --log-prefix "INPUT DROP " --log-tcp-options --log-ip-options

This rule logs "INPUT DROP " on anything not coming in via the 
loopback interface.

> -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -d 224.0.0.0/4 -j MULTICAST

But here, you're sending those already logged packets to your 
"MULTICAST" chain.

[big snip]

Look at this chain carefully:

> -A MULTICAST ! -o lo -j LOG --log-prefix "MULTICAST DROP " --log-tcp-options --log-ip-options

You log that the packet is dropped.  Note that all packets logged 
here were already logged with the "INPUT DROP " prefix.  Note also 
that the "! -o lo" is a no-op on INPUT, and this chain was called 
from INPUT.

> -A MULTICAST -p udp -m udp --dport 1900 -j ACCEPT

But these packets are NOT dropped.

> -A MULTICAST -j DROP
snip

> Here is the output from the journalctl -xe | grep "1900"
> 
> kernel: INPUT DROP IN=lan OUT=
> MAC=01:00:5e:7f:ff:fa:24:0a:64:fe:cb:65:08:00 SRC=10.20.30.38 
> DST=239.255.255.250 LEN=165 TOS=0x00 PREC=0x00 TTL=4 ID=3831 
> PROTO=UDP SPT=64585 DPT=1900 LEN=145
> 
> kernel: MULTICAST DROP IN=lan OUT= 
> MAC=01:00:5e:7f:ff:fa:24:0a:64:fe:cb:65:08:00 SRC=10.20.30.38 
> DST=239.255.255.250 LEN=165 TOS=0x00 PREC=0x00 TTL=4 ID=3831 
> PROTO=UDP SPT=64585 DPT=1900 LEN=145
> 
> I don't understand why these packets are dropped...

It's the same packet; it was not dropped by these rules.  PEBKAC.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux