bugzilla-daemon at bugzilla.netfilter.org
2009-Oct-08 18:13 UTC
[Bug 613] New: iptables not accepting RELATED, ESTABLISHED udp packets
http://bugzilla.netfilter.org/show_bug.cgi?id=613
Summary: iptables not accepting RELATED,ESTABLISHED udp packets
Product: iptables
Version: unspecified
Platform: All
OS/Version: other
Status: NEW
Severity: normal
Priority: P1
Component: iptables
AssignedTo: laforge at netfilter.org
ReportedBy: bugzilla at jakemagee.com
My system sends out a UDP packet (snmptrap) to a server and expects to get a
UDP packet back (snmptrap -Ci). However, the return UDP packet never reaches
the system (it is dropped). I have the following rule set in the INPUT filter
table:
iptables -t filter -I INPUT -p all -m state --state ESTABLISHED,RELATED -j
ACCEPT
I see the following in my blocked log:
INPUT DROP: IN=ppp0 OUT= MAC= SRC=63.97.78.114 DST=70.218.8.48 LEN=134 TOS=0x00
PREC=0x00 TTL=113 ID=3422 PROTO=UDP SPT=4876 DPT=48204 LEN=114
And from /proc/net/ip_conntrack:
udp 17 57 src=70.218.8.48 dst=63.97.78.114 sport=41329 dport=162 packets=1
bytes=135 [UNREPLIED] src=63.97.78.114 dst=70.218.8.48 sport=162 dport=41329
packets=0 bytes=0 mark=0 use=2
TCP packets seem to work fine. I originally thought that this was simply a
limitation of using UDP packets, but after reading this
http://www.linuxtopia.org/Linux_Firewall_iptables/x1544.html, I feel that
RELATED,ESTABLISHED UDP packets should work with iptables. I have verified
that the sent UDP packet was sent successful and that the returned UDP packet
has the dport set to the original sent packet's sport. Is this a bug or is
my
rule incorrect?
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Oct-15 14:50 UTC
[Bug 613] iptables not accepting RELATED,ESTABLISHED udp packets
http://bugzilla.netfilter.org/show_bug.cgi?id=613 ------- Comment #1 from kernel at linuxace.com 2009-10-15 16:50 ------- Did you actually read the log entry for the blocked packet?> SPT=4876 DPT=48204vs your SNMP packet: src=63.97.78.114 dst=70.218.8.48 sport=162 dport=41329 The ports do not match AT ALL, so this is expected behaviour. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Oct-15 16:08 UTC
[Bug 613] iptables not accepting RELATED,ESTABLISHED udp packets
http://bugzilla.netfilter.org/show_bug.cgi?id=613
bugzilla at jakemagee.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Comment #2 from bugzilla at jakemagee.com 2009-10-15 18:08 -------
I did read the log entry, however, I was unaware at the time of how ESTABLISHED
and RELATED states worked. I actually figured this out just last night and had
not gotten around to updating and closing this ticket.
On top of this, I was also dealing with the fact that snmptrap sends out udp
packets with random src ports (each call sends a packet with a different
sport). I have not figured out if there is a way to ACCEPT packets based on
"random" dports (that a previous packets was sent with a sport value
of).
Could you possibly suggest a topic to read on accomplishing this?
Thanks
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.