[ale] potential iptables bug

James P. Kinney III jkinney at localnetsolutions.com
Tue Dec 4 08:46:57 EST 2007 

On Tue, 2007-12-04 at 01:03 -0500, Daniel Kahn Gillmor wrote:
> On Mon 2007-12-03 21:56:00 -0500, James P. Kinney III wrote:
> 
> > All machines are affected. This is the NAT table. The 10.0.0.195 is
> > the external and the 192.168.1.13 is the internal of the ssh machine
> > referred to originally. Again, this affects ALL machines that have a
> > pass through from the firewall.
> >
> > BTW: the default policy is to reject with icmp-host-prohibited on
> > all chains (I think I can quote from Bob's second edition now :) and
> > only the machine functions are open at all.
> 
> hrm.  evolution appears to have line-wrapped your post, so i'm not
> sure i've got it right.  I've tried to de-line-wrap it below:
> 
> > $ iptables -vnL -t nat
> > Chain OUTPUT (policy ACCEPT 26 packets, 1584 bytes)
> >  pkts bytes target     prot opt in     out     source       destination         
> >
> > Chain POSTROUTING (policy ACCEPT 1 packets, 84 bytes)
> >  pkts bytes target     prot opt in     out     source       destination         
> >     0     0 SNAT       all  --  *      eth0    192.168.1.13 0.0.0.0/0           to:10.0.0.195 
> >    26  1548 SNAT       all  --  *      eth0    0.0.0.0/0    0.0.0.0/0           to:10.0.0.194 
> 
> Sorry to ask the obvious, but which interface is eth0? 
eth0 is external, eth1 is internal.

>  Is it possible
> that these SNAT lines are triggering for connections coming in the
> firewall's WAN port?  That would certainly rewrite the source IP
> address of the packets to an IP address of the firewall, as shown
> here.
> 
>         --dkg
> 
> PS are you really running iptables as a regular user?  how does that
>    work?  or does your root prompt just use "$" instead of the
>    traditional "#"?

cut-n-paste missed the # and I typed the wrong one. iptables requires
root privileges to run (although there is a sudo account on that machine
but it was not used).
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list