[H-GEN] weird iptables problem

Johann johann at spot-the-dog.com
Tue Apr 22 18:52:01 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

  Hi all,
            I have setup a relatively simple gateway machine (redhat 
8.0, lastest updates) that also acts as a mail server. DNS works fine 
can ping any valid address, sendmail is configured and sending and 
recieving email, internal clients can surf through a squid proxy. 
However when I start iptables, even with a default setting only for 
masquerading, and all policies set to accept, from the gateway machine I 
can no longer ping eth0, eth1 or lo, but I can ping any other valid 
address, sendmail is no longer accessable from the gateway machine 
(error message just indicates that the email client is being denied 
access to the sendmail port. I'm not too sure about the internal network 
at this stage as I can't get access to a machine to test it).

 The error I get when pinging is:

ping: sendmsg: Operation not permitted

which seems to me that iptables is filtering and dropping the packets.

In case I had accidently added something to the ruleset, I cut things 
down to the following rules, which should allow everything and set up 
masquerading

/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X

followed by

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -j ACCEPT

eth0 is the internal interface and eth1 is the external interface.


I quickly tried logging, with
/sbin/iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
/sbin/iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "

but could not make much sense of it, an example is:

Apr 23 01:56:54 lnxsrv kernel: INPUT_DROP: IN=eth1 OUT= 
MAC=00:05:5d:6b:72:7e:00:03:4b:ac:90:15:08:00 
SRC=IP_ADDRESS_OF_REMOTE_MACHINE_LOGGED_IN_FROM 
DST=IP_ADDRESS_OF_REMOTE_MACHINE LEN=100 TOS=0x10 PREC=0x00 TTL=47 
ID=3925 DF PROTO=TCP SPT=33005 DPT=22 WINDOW=62992 RES=0x00 ACK PSH URGP=0
Apr 23 01:56:54 lnxsrv kernel: OUTPUT_DROP: IN= OUT=eth1 
SRC=IP_ADDRESS_OF_REMOTE_MACHINE 
DST=IP_ADDRESS_OF_REMOTE_MACHINE_LOGGED_IN_FROM 
DST=IP_ADDRESS_OF_REMOTE_MACHINE LEN=100 TOS=0x10 PREC=0x00 TTL=64 
ID=24765 DF PROTO=TCP SPT=22 DPT=33005 WINDOW=21504 RES=0x00 ACK PSH URGP=0

I don't even understand the logs, but it seems to me its just dropping 
packets, but I don't know why. I thought I might have stuffed up with 
the iptables rule set, but I have used masq with the above rule set 
before and never experienced any problems. I even reinstalled iptables 
in the off chance that it had somehow not installed properly.

any suggestions would be most appreciated

thanks

Johann

-- 
Johann Kwiatkowski
Spot The Dog Graphics
ph: (07) 33233677
fax: (07) 33233677
mobile: 0418 797 419
web: www.spot-the-dog.com



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list