[ale] potential iptables bug
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Dec 4 01:04:09 EST 2007
On Mon 2007-12-03 21:56:00 -0500, James P. Kinney III wrote:
> All machines are affected. This is the NAT table. The 10.0.0.195 is
> the external and the 192.168.1.13 is the internal of the ssh machine
> referred to originally. Again, this affects ALL machines that have a
> pass through from the firewall.
>
> BTW: the default policy is to reject with icmp-host-prohibited on
> all chains (I think I can quote from Bob's second edition now :) and
> only the machine functions are open at all.
hrm. evolution appears to have line-wrapped your post, so i'm not
sure i've got it right. I've tried to de-line-wrap it below:
> $ iptables -vnL -t nat
> Chain OUTPUT (policy ACCEPT 26 packets, 1584 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 1 packets, 84 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 SNAT all -- * eth0 192.168.1.13 0.0.0.0/0 to:10.0.0.195
> 26 1548 SNAT all -- * eth0 0.0.0.0/0 0.0.0.0/0 to:10.0.0.194
Sorry to ask the obvious, but which interface is eth0? Is it possible
that these SNAT lines are triggering for connections coming in the
firewall's WAN port? That would certainly rewrite the source IP
address of the packets to an IP address of the firewall, as shown
here.
--dkg
PS are you really running iptables as a regular user? how does that
work? or does your root prompt just use "$" instead of the
traditional "#"?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
More information about the Ale
mailing list