iptables rule not working as expected
in [Linux Networking]
|
Prev: unable to start xinetd
From: Greg Russell on 13 Aug 2010 16:13 I feel we have a fairly restrictive firewall in place, but my attempts to allow DHCP from a range of IP addresses seem to fail. Using a simple script I wrote, we see: Resolved_Address Packets Bytes Protocol(s) Dest.Port(s) .... 148.78.249.200 3 560 UDP 54366 Totals 4 0.7KB for search pattern "UNSOLICITED" The ruleset is: *filter :INPUT DROP [wlan0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i wlan0 -p udp -s 148.78.249.200/28 -m state --state NEW -j ACCEPT -A INPUT -i wlan0 -m state --state NEW -j LOG --log-level 7 --log-prefix UNSOLICITED: COMMIT These types of drops seem to cause DNS delays fairly often How might I fix this please?
From: Pascal Hambourg on 13 Aug 2010 16:36 Hello, Greg Russell a �crit : > I feel we have a fairly restrictive firewall in place, but my attempts to > allow DHCP from a range of IP addresses seem to fail. What do you mean by "allow DHCP from a range of IP" ? > Using a simple script I wrote, we see: > > Resolved_Address Packets Bytes Protocol(s) Dest.Port(s) > ... > 148.78.249.200 3 560 UDP 54366 > Totals 4 0.7KB for search pattern "UNSOLICITED" What does this script do ? Can you send the complete messages from the LOG rule ? > The ruleset is: > > *filter > :INPUT DROP [wlan0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -i wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i wlan0 -p udp -s 148.78.249.200/28 -m state --state NEW -j > ACCEPT Note that 148.78.249.200/28 is not a valid prefix ; 148.78.249.192/28 is. > -A INPUT -i wlan0 -m state --state NEW -j LOG --log-level 7 --log-prefix > UNSOLICITED: > COMMIT
|
Pages: 1 Prev: unable to start xinetd |