[clue-tech] forwarded packets not matching any iptables rules?
David L. Anselmi
anselmi at anselmi.us
Sun Aug 27 13:26:03 MDT 2006
Jim Ockers wrote:
[...]
> It seems that my problem below is timing or sequence.
> http://marc.theaimsgroup.com/?l=netfilter&m=112878199509625&w=2
>
> It seems that IF:
> 1. the interface comes up
> 2. a UDP packet is seen right away
> 3. subsequently to (2) the iptables rules are configured
>
> THEN
> the UDP packets will not get processed by iptables.
So you can configure iptables first and then bring up eth0 and eth1,
right? The 3. above always happens before 2. Does that help?
Your link says something about some packets getting through anyway but
that doesn't make sense to me.
> The conntrack userspace tool requires 2.6.13 or newer kernel, or
> something. Of course I need it to work for 2.4.22. Is there another
> way (besides rebooting) to flush ip_conntrack?
Perhaps downing both interfaces? Just a guess. But if you unload the
conntrack module I'd think you'd want the interfaces down anyway to
prevent the above sequence from happening when reloading it.
Can you skip using connection tracking? That prevents you from using
--state rules.
You might be able to spoof some RST packets, which is supposed to drop
the conntrack timeout to 10 sec. That's a kludge though and may not
actually help.
This says there's a patch in netfilter that will disable conntrack for a
src/dst:
http://lists.sans.org/pipermail/unisog/2005-August/025039.html
Maybe that will help?
Dave
More information about the clue-tech
mailing list