[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    RE: why does this packet not match these rules?
From:       "Jason Opperisano" <Jopperisano () alphanumeric ! com>
Date:       2004-08-30 18:50:12
Message-ID: D5C9032B2B09C64EA2409D6214E91AC9051301 () asimail2 ! alphanumeric ! com
[Download RAW message or body]

> Hi,
> 
> I have these rules in my iptables script (iptables -L -v -n):
> 
> Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source
> destination
> 
> 16955 5070K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
> 
> 35895  278M out_lan    all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
> 
> 16M 3830M out_internet  all  --  *      ppp0    x.x.x.x       0.0.0.0/0
> 
> 0     0 ACCEPT     all  --  *      *       0.0.0.0/0           0.0.0.0/0
> state RELATED
> 
> 26649 1534K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0
> 0 level 4 prefix `OUT-unknown:'
> 
> 28209 1621K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
> 
> 
> (where x.x.x.x is my ip), and yet these packets are being logged:
> 
> ... OUT-unknown:IN= OUT=ppp0 SRC=x.x.x.x DST=y.y.y.y LEN=60 TOS=0x00 PREC=0x00
> TTL=64 ID=45650 DF PROTO=TCP SPT=43257 DPT=4662 WINDOW=4383 RES=0x00 SYN
> URGP=0
> 
> surely this should match rule 3 (src=x.x.x.x, out=ppp0) and be handled by
> out_internet?

it probably does.  the question is:  does the packet actually match anything in \
"out_internet?"  if it doesn't, the packet will continue on down the list until it \
hits your log rule.

show us:  iptables -vnL out_internet

-j


[prev in list] [next in list] [prev in thread] [next in thread]