[Dnsmasq-discuss] iptables configuration drops packets

Sat May 17 17:18:38 BST 2008

/dev/rob0 on 17/05/08 00:36, wrote:
> On Fri May 16 2008 13:30:01 Adam Hardy wrote:
>> I set up iptables myself today after using an obtusely written
>> script for some time.
> 
> I don't think this one is much better. :( Start simpler.  A good 
> starting point is Rusty's Packet Filtering HOWTO, Really Quick Guide:
> 
> http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html

I can appreciate minimalism, thanks. I'll definitely peruse that. My script is 
based on the obtuse script I had earlier (generated by fwbuilder) but 
rationalised by myself - we're talking rationalised as far as my understanding 
of iptables goes, rather than what I desire for the end result. I'm pretty close 
though I think.

>> I am trying to work out whether everything is in order and I am
>> seeing logs from iptables saying that it is dropping packets from the
> 
> Routine logging is an easy way to DoS yourself. When you have it all 
> working, stop the -j LOG rules.
> 
>> machine every 12 minutes, which doesn't make sense - here's a line
>> from the log:
>>
>> May 16 19:21:10 isengard kernel: dropped from OUTPUT IN= OUT=eth1
>> SRC=192.168.0.2 DST=192.168.0.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64
>> ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=217
> 
> Assuming that the --log-prefix is correct and that your iptables 
> machine's IP address is 192.168.0.2, do tell, WHY are you blocking 
> OUTPUT? What is your threat model?

Basically I have 3 housemates who I allow on the wireless LAN with their 
laptops, and of course they all run windows, so I just want to make sure. I'd 
rather not run the risk of someone leaving their PC on with a spam cannon trojan 
running. I've forbidden Outlook and MSIE, so perhaps I'm being too keen, but I 
figured I'd log what OUTPUT drops and figure out where it's coming from and 
whether it's kosher or not, and adapt when necessary.

And I've seen the buffering config that can prevent log flooding, so I should be 
OK vis a vis DoS.

>> I'm trying to find out what the broadcast address is for and I'm
>> pretty much in the dark despite looking around the mailing list and
>> google.
> 
> This is the old "Netbios" protocol, kludged up by Microsoft in the 
> 1990's, to enable peer-to-peer file sharing on IP networks without 
> proper DNS services. I think you can turn it off in Samba's nmbd(8). 
> But your best bet is to just stop blocking OUTPUT.
> 
> You most likely also do not want much if any filtering on your LAN 
> interface. You should only filter INPUT and FORWARD traffic on your 
> external interface. If you really have a threat inside your RFC 1918 
> netblocks, I would suggest a physical approach: pull the plug on it.

Point taken - if I takes me too long to figure out the rule I need, I may just 
go that way.

Thanks
Adam