Re: IPTables rejecting packets that should be let through???

[Aleksandar Milivojevic <amilivojevic pbl ca>]

Aleksandar Milivojevic wrote:
> David Hoffman wrote:
>
> > Is there a way to tell the reason for rejection or the state of a
> > packet from the log entry that IPTables generates? Here is an example
> > of a log entry that I saw. AFTER valid traffic accepted, an SMTP
> > session was setup, and postfix rejected the mail with an error code, I
> > saw this message in my log:
> >
> > Apr 10 06:40:29 master kernel: IN=eth1
> > OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=220.117.112.56
> > DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP
> > SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
>
> This is incoming, not outgoing packet.  It contains RST flag, that would 
> couse connection to be terminated.

Oh, and BTW, the above tells me (based on IP addresses) there is 
(probably) an NAT firewall doing DNAT before that packet hit the 
firewall on your mail server.  It might be that something got blocked on 
that upstream NAT firewall.  Another thing that I haven't mentioned in 
my previous mail is that you might have blocked some ICMP traffic that 
shouldn't be blocked (either on the machine in question or on the 
upstream NAT firewall).

--
Aleksandar Milivojevic <amilivojevic pbl ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7