| View previous topic :: View next topic |
| Author |
Message |
DaggyStyle
Watchman
Joined: 22 Mar 2006
Posts: 5941
|
 Posted: Tue May 06, 2008 8:28 am Post subject: specific iptables rule isnt working |
 |
|
I've created this rule:
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW --sport 80 -s 192.168.113.94 -j ACCEPT
but the firewall still blocks it, I guess there is a typo somewhere but I cant seem to be able to find it
any hints?
thanks
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
| Back to top |
|
 |
di1bert
l33t
Joined: 16 May 2002
Posts: 963
Location: Oslo, Norway
|
| Posted: Tue May 06, 2008 10:00 am Post subject: |
|
|
Can you paste the output from syslog where the packets are getting blocked ? That would help
towards finding the problem.
-m |
|
| Back to top |
|
|
DaggyStyle
Watchman
Joined: 22 Mar 2006
Posts: 5941
|
| Posted: Tue May 06, 2008 10:15 am Post subject: |
|
|
| di1bert wrote: | Can you paste the output from syslog where the packets are getting blocked ? That would help
towards finding the problem.
-m |
Rejected: IN=eth0 OUT= MAC=full mac address here SRC=192.168.113.94 DST=192.168.113.10 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=39776 WINDOW=0 RES=0x00 RST URGP=0
the destination port changes once in a while
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
| Back to top |
|
|
di1bert
l33t
Joined: 16 May 2002
Posts: 963
Location: Oslo, Norway
|
| Posted: Tue May 06, 2008 3:14 pm Post subject: |
|
|
That's a bit of a strange one. Could there be another rule higher up that's catching it before it gets to this rule ?
-m |
|
| Back to top |
|
|
zatalian
Apprentice
Joined: 27 Aug 2002
Posts: 179
Location: Gent, Belgium
|
| Posted: Tue May 06, 2008 5:22 pm Post subject: |
|
|
Are you trying to allow access to your local webserver?
In that case, the packets that arrive have a destination port 80, not source port. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23081
|
| Posted: Wed May 07, 2008 3:08 am Post subject: |
|
|
| The line from syslog shows that the dropped packet is a RST. RST packets are not NEW. They are typically ESTABLISHED, but they could be INVALID if they are spoofed or otherwise associated with a connection the kernel does not recognize. |
|
| Back to top |
|
|
DaggyStyle
Watchman
Joined: 22 Mar 2006
Posts: 5941
|
| Posted: Wed May 07, 2008 5:16 am Post subject: |
|
|
huh? this is how to other computer works, I cannot change it,I have an accept rule for destination port 80
that is my third rule, the first one is accept localhost, second is accept related and established and then this rule
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
| Back to top |
|
|
|
Networking & Security
