[ale] potential iptables bug

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Dec 4 01:04:09 EST 2007


On Mon 2007-12-03 21:56:00 -0500, James P. Kinney III wrote:

> All machines are affected. This is the NAT table. The 10.0.0.195 is
> the external and the 192.168.1.13 is the internal of the ssh machine
> referred to originally. Again, this affects ALL machines that have a
> pass through from the firewall.
>
> BTW: the default policy is to reject with icmp-host-prohibited on
> all chains (I think I can quote from Bob's second edition now :) and
> only the machine functions are open at all.

hrm.  evolution appears to have line-wrapped your post, so i'm not
sure i've got it right.  I've tried to de-line-wrap it below:

> $ iptables -vnL -t nat
> Chain OUTPUT (policy ACCEPT 26 packets, 1584 bytes)
>  pkts bytes target     prot opt in     out     source       destination         
>
> Chain POSTROUTING (policy ACCEPT 1 packets, 84 bytes)
>  pkts bytes target     prot opt in     out     source       destination         
>     0     0 SNAT       all  --  *      eth0    192.168.1.13 0.0.0.0/0           to:10.0.0.195 
>    26  1548 SNAT       all  --  *      eth0    0.0.0.0/0    0.0.0.0/0           to:10.0.0.194 

Sorry to ask the obvious, but which interface is eth0?  Is it possible
that these SNAT lines are triggering for connections coming in the
firewall's WAN port?  That would certainly rewrite the source IP
address of the packets to an IP address of the firewall, as shown
here.

        --dkg

PS are you really running iptables as a regular user?  how does that
   work?  or does your root prompt just use "$" instead of the
   traditional "#"?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available




More information about the Ale mailing list