[Dnsmasq-discuss] iptables configuration drops packets
/dev/rob0
rob0 at gmx.co.uk
Sat May 17 00:36:19 BST 2008
On Fri May 16 2008 13:30:01 Adam Hardy wrote:
> I set up iptables myself today after using an obtusely written
> script for some time.
I don't think this one is much better. :( Start simpler. A good
starting point is Rusty's Packet Filtering HOWTO, Really Quick Guide:
http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html
> I am trying to work out whether everything is in order and I am
> seeing logs from iptables saying that it is dropping packets from the
Routine logging is an easy way to DoS yourself. When you have it all
working, stop the -j LOG rules.
> machine every 12 minutes, which doesn't make sense - here's a line
> from the log:
>
> May 16 19:21:10 isengard kernel: dropped from OUTPUT IN= OUT=eth1
> SRC=192.168.0.2 DST=192.168.0.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64
> ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=217
Assuming that the --log-prefix is correct and that your iptables
machine's IP address is 192.168.0.2, do tell, WHY are you blocking
OUTPUT? What is your threat model?
My rule of thumb: if you have to ask for help with iptables, you need
ACCEPT policy (and no blocking) in OUTPUT.
> The machine is running dhclient3 and dnsmasq and it acts as a
Irrelevant.
> I'm trying to find out what the broadcast address is for and I'm
> pretty much in the dark despite looking around the mailing list and
> google.
This is the old "Netbios" protocol, kludged up by Microsoft in the
1990's, to enable peer-to-peer file sharing on IP networks without
proper DNS services. I think you can turn it off in Samba's nmbd(8).
But your best bet is to just stop blocking OUTPUT.
You most likely also do not want much if any filtering on your LAN
interface. You should only filter INPUT and FORWARD traffic on your
external interface. If you really have a threat inside your RFC 1918
netblocks, I would suggest a physical approach: pull the plug on it.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
More information about the Dnsmasq-discuss
mailing list