[clue-tech] forwarded packets not matching any iptables rules?
David L. Anselmi
anselmi at anselmi.us
Tue Aug 29 19:31:01 MDT 2006
Jim Ockers wrote:
> David L. Anselmi wrote:
[...]
> I don't understand your statement. Here's what I observed happening:
> If the iptables rules are configured before the UDP packet is seen,
> then that UDP traffic is properly processed by iptables. If the
> UDP packet is seen before iptables is configured, then the UDP traffic
> is NOT properly processed by iptables.
At some point in time your eth0 and eth1 interfaces are configured and
brought up. Later your iptables rules are configured. Your problem is
that a packet comes in before iptables is ready for it. So just reverse
the order--set up iptables first then bring up eth0 and eth1. If they
are down no packets get to iptables.
[...]
>>You might be able to spoof some RST packets, which is supposed to drop
>>the conntrack timeout to 10 sec. That's a kludge though and may not
>>actually help.
>
> RST would only affect TCP I think. UDP, being connectionless, does not
> have the notion of RST.
Yes, you're right of course. Even though the connection tracking module
works on UDP. :-P
[...]
> As a semi-permanent workaround I made my application wait 5 minutes
> after power-on before it starts spewing forth the UDP traffic. That
> way the firewall system should have enough time to initialize (assuming
> they are both powered on at the same time) before it sees its first
> UDP packet.
Glad you got it to work. Don't forget to take the workaround out when
you get 2.6 and the contrack utility. But it would be interesting to
see if you can set up the firewall before turning on its interfaces.
That's the way firewalls should work most times anyways, I think, though
I've never beat on one hard enough to know how much difference it makes.
Dave
More information about the clue-tech
mailing list