| title: | Re Interaction of Ethereal and iptables |
|
On Sun, 2004-04-11 at 01:38, Jay Levitt wrote:
Im occasionally seeing lines like the following, always to the same
machine which is on my internal network:
Apr 11 01:11:52 linux kernel: Rejected output by default:IN= OUT=eth0
SRC=192.168.1.150 DST=192.168.1.151 LEN=40 TOS=0x00 PREC=0x00 TTL=64
ID=30662 DF PROTO=TCP SPT=993 DPT=3736 WINDOW=6432 RES=0x00 ACK FIN
URGP=0
This corresponds to a LOG and then a DROP rule. So I set up Ethereal
to capture the packet trace. I didnt see the packet there, so I
changed the DROP to an ACCEPT, assuming that iptables is probably
dropping the outbound packet before Ethereal (ok, libpcap) can see
it.
The weird thing is - even with just a LOG/ACCEPT rule, the packet is
STILL missing from Ethereals trace! All other packets from that time
frame are there, but this particular one isnt. Could iptables be
imagining it somehow? Im using libpcap 0.7.2, which was current till
a few days ago... Ive done an iptables --list OUTPUT and verified
that the last item on the OUTPUT chain is an ACCEPT of all packets,
although the default policy is still technically DROP.
<snip
Is there any chance it is being dropped by some other rule before it
hits the accept rule? If you add a log rule just in front of the ACCEPT
rule, is the packet still logged?
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@xxxxxxxxxxxxx
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
iscs.sourceforge.net iscs.sourceforge.net
|
