IPTables rejecting packets that should be let through???
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Apr 11 14:51:27 UTC 2005
Aleksandar Milivojevic wrote:
> David Hoffman wrote:
>
>> Is there a way to tell the reason for rejection or the state of a
>> packet from the log entry that IPTables generates? Here is an example
>> of a log entry that I saw. AFTER valid traffic accepted, an SMTP
>> session was setup, and postfix rejected the mail with an error code, I
>> saw this message in my log:
>>
>> Apr 10 06:40:29 master kernel: IN=eth1
>> OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=220.117.112.56
>> DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP
>> SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
>
> This is incoming, not outgoing packet. It contains RST flag, that would
> couse connection to be terminated.
Oh, and BTW, the above tells me (based on IP addresses) there is
(probably) an NAT firewall doing DNAT before that packet hit the
firewall on your mail server. It might be that something got blocked on
that upstream NAT firewall. Another thing that I haven't mentioned in
my previous mail is that you might have blocked some ICMP traffic that
shouldn't be blocked (either on the machine in question or on the
upstream NAT firewall).
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list