Hi, I'm experiencing the most perplexing problem with iptables on CentOS 5.2. I'm hoping someone can point out what I must be missing here. I have memcached set up on several nodes on an internal network. I have the following rules set up to allow traffic between memcached nodes: IPTABLES -A INPUT -i bond0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.0/24 --dport 11211 -j ACCEPT IPTABLES -A FORWARD -i bond0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.0/24 --dport 11211 -j ACCEPT IPTABLES -A OUTPUT -o bond0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.0/24 --dport 11211 -j ACCEPT IPTABLES -A FORWARD -o bond0 -p tcp -m tcp -s 192.168.1.0/24 -d 192.168.1.0/24 --dport 11211 -j ACCEPT And yet, iptables continues to drop memcached packets. It appears to simply skip these rules and fall through to the default CATCH-ALL policy. Here are some iptables log messages notifying of the dropped packets: Dec 12 20:33:53 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=47567 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:33:59 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=47771 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:34:00 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=35600 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:34:12 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=52823 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:34:40 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=44946 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:34:42 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=45046 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:37:40 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.4 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=58825 WINDOW=0 RES=0x00 RST URGP=0 Dec 12 20:37:49 s1 kernel: DROP -- Catch All: IN= OUT=bond0 SRC=192.168.1.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=11211 DPT=44183 WINDOW=0 RES=0x00 RST URGP=0 I am not seeing anything like this with any of the other filtered ports in my ruleset. Is there something obvious here that I am just missing? Or am I running into a possible kernel bug of some sort? Thanks in advance for any insights.
Filipe Brandenburger
2008-Dec-12 22:33 UTC
[CentOS] CentOS 5.2 + iptables + memcached Problem
Hi, On Fri, Dec 12, 2008 at 15:45, Art Age Software <artagesw at gmail.com> wrote:> IPTABLES -A XXX -i bond0 -p tcp -m tcp -s 192.168.1.0/24 -d > 192.168.1.0/24 --dport 11211 -j ACCEPT> Dec 12 20:33:53 s1 kernel: DROP -- Catch All: IN= OUT=bond0 > SRC=192.168.1.1 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 > DF PROTO=TCP SPT=11211 DPT=47567 WINDOW=0 RES=0x00 RST URGP=0The packages it's dropping are with *source* port 11211, they are the replies. Either configure your firewall in stateful mode (-m state, --state NEW, --state ESTABLISHED, etc.) or add rules to allow the replies from that source port. HTH, Filipe