bugzilla-daemon at bugzilla.netfilter.org
2011-Mar-03 13:20 UTC
[Bug 706] Iptables randomly reject some packets that have accept rule
http://bugzilla.netfilter.org/show_bug.cgi?id=706
Jan Engelhardt <jengelh at medozas.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jengelh at medozas.de
--- Comment #1 from Jan Engelhardt <jengelh at medozas.de> 2011-03-03
14:20:30 ---
You could have run out of memory, subsequently, a packet may have not been
state-classified, remaining at INVALID. See dmesg.
Or there may just be 4 1/2 years worth of bugs - 2.6.18 isn't exactly a
model
child.
Always post _complete_ rulesets - use iptables-save, never iptables -L.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Mar-04 11:19 UTC
[Bug 706] Iptables randomly reject some packets that have accept rule
http://bugzilla.netfilter.org/show_bug.cgi?id=706 --- Comment #2 from Pier Paolo Orioli <pierpaolo.orioli at gmail.com> 2011-03-04 12:19:20 --- Hi, I have 4GB of RAM and I'm using 50% of the RAM available, so I don't think that the problem is memory related. I'm using CentOS 5.5 so I can't have more recent kernels, maybe I can wait CentOS 5.6 or CentOS 6 in order to see if the bug is resolved. Now I changed the ruleset and I no more check for state NEW on the dstport 443, now i haven't no more packet rejected and the output of iptables-save is: # Generated by iptables-save v1.3.5 on Fri Mar 4 12:12:40 2011 *nat :PREROUTING ACCEPT [400212:21715803] :POSTROUTING ACCEPT [142299:9856790] :OUTPUT ACCEPT [142299:9856790] COMMIT # Completed on Fri Mar 4 12:12:40 2011 # Generated by iptables-save v1.3.5 on Fri Mar 4 12:12:40 2011 *mangle :PREROUTING ACCEPT [13029733:1988375571] :INPUT ACCEPT [13029733:1988375571] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12067768:10868389437] :POSTROUTING ACCEPT [12067768:10868389437] COMMIT # Completed on Fri Mar 4 12:12:40 2011 # Generated by iptables-save v1.3.5 on Fri Mar 4 12:12:40 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12067768:10868389437] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth1 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 446 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 9980 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -s x.x.x.x/255.255.255.0 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -s x.x.x.x/255.255.255.248 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -s x.x.x.x/255.255.255.240 -p tcp -m tcp --dport 3306 -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Mar 4 12:12:40 2011 Thank you -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Mar-05 12:54 UTC
[Bug 706] Iptables randomly reject some packets that have accept rule
http://bugzilla.netfilter.org/show_bug.cgi?id=706
Jan Engelhardt <jengelh at medozas.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--- Comment #3 from Jan Engelhardt <jengelh at medozas.de> 2011-03-05
13:54:55 --->I no more check for state NEW on the dstport 443, now i haven't no more
packet rejected
Hm, that would support the theory of packets being possibly INVALID. You can
test this specifically by adding a rule in that location with -m conntrack
--ctstate INVALID -p tcp --dport 443 -j LOG --log-prefix "inv-443: "
or
something like that.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Apparently Analagous Threads
- [Bug 600] ULOG target does not support --log-uid
- [Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
- [Bug 595] MARK filter doesn't work
- [Bug 665] Can't start error opening /var/log/ ...
- [Bug 770] New: ipt_REJECT: multi-directional tcp-reset