<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: CIPE 1.5.4 output bypassing iptables?
From: Joerg Dahlem <ecco,AT,europe,DOT,com>
Date: Sun, 21 Jul 2002 11:11:47 +0200

Hi,

got a problem concerning CIPE 1.5.4 and 1.5.3 with iptables from Kernel
2.4.18-5 The UDP packets _sent_ by CIPE seem to bypass the complete
firewall code. At least I am not able to catch them with rules...

I have a working cipe connect between the two hosts .162 and .95:
01:41:29.275269 xxx.xx.xxx.95.4970 > xxx.xx.xxx.162.4975:  udp 80
01:41:30.274820 xxx.xx.xxx.162.4975 > xxx.xx.xxx.95.4970:  udp 80
01:41:30.285214 xxx.xx.xxx.95.4970 > xxx.xx.xxx.162.4975:  udp 80

The funny thing is this. It is taken while tranferring data through the
VPN (working!): They are the first rules within the OUTPUT chain. eth1
is the interface connected to the internet/LAN.

# while (true); do iptables -vnxL OUTPUT | grep LOG -A1 -B2; echo; sleep 5; 
done
 pkts    bytes target     prot opt in     out     source               
destination
    0        0            udp  --  *      *       0.0.0.0/0            
xxx.xx.xxx.95      udp dpt:4970
    0        0 LOG        all  --  *      eth1   !xxx.xx.xxx.162      
!192.168.111.255    LOG flags 0 level 4
80423 25904314 acct-out   all  --  *      eth1    xxx.xx.xxx.162       
0.0.0.0/0

 pkts    bytes target     prot opt in     out     source               
destination
    0        0            udp  --  *      *       0.0.0.0/0            
xxx.xx.xxx.95      udp dpt:4970
    0        0 LOG        all  --  *      eth1   !xxx.xx.xxx.162      
!192.168.111.255    LOG flags 0 level 4
80423 25904314 acct-out   all  --  *      eth1    xxx.xx.xxx.162       
0.0.0.0/0

 pkts    bytes target     prot opt in     out     source               
destination
    0        0            udp  --  *      *       0.0.0.0/0            
xxx.xx.xxx.95      udp dpt:4970
    0        0 LOG        all  --  *      eth1   !xxx.xx.xxx.162      
!192.168.111.255    LOG flags 0 level 4
80424 25904354 acct-out   all  --  *      eth1    xxx.xx.xxx.162       
0.0.0.0/0

The !192.168.111.255 is in there because samba sends (normally
filtered) broadcasts to the outgoing interface I didn't want to appear
here. Except for these broadcasts it doesn't change anything.
"acct-out" is an accounting rule. Normally the packets should drop in
there but the don't...

PS: I left this in the firewall while writing this mail and it seems
that the cipe internal "ping" DOES create countable traffic...

 bye, Jörg





<< | Thread Index | >> ]    [ << | Date Index | >> ]