שלום,
אני מתקין מערכת חדשה ויש לי שם בעייה עם iptables:
כאשר אני שולח ping, אני רואה שהודעת echo request הגיע אבל echo reply לא יוצאת.
רק אחרי שביטלתי את ה Iptables, ראיתי שיש גם echo reply.
אותו סיפור פחות או יותר עם תעבורה אמיתית.
אשמח לבדיקה מה לא בסדר.
קוד: |
root@hlrfeor201> cat iptables
# Generated by iptables-save v1.4.7 on Thu Dec 26 10:20:20 2013
*mangle
:PREROUTING ACCEPT [18899307:3711355314]
:INPUT ACCEPT [18467056:3694064954]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20527659:3856681121]
:POSTROUTING ACCEPT [20527659:3856681121]
COMMIT
# Completed on Thu Dec 26 10:20:20 2013
# Generated by iptables-save v1.4.7 on Thu Dec 26 10:20:20 2013
*filter
:INPUT DROP [15900:4881300]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6081715:669084871]
:LAN1 - [0:0]
:LAN2 - [0:0]
:LAN3 - [0:0]
:LAN4 - [0:0]
:LAN_TRAFFIC - [0:0]
-A INPUT -i lo -m comment --comment "free loopback interface . default rule added by HBFW tool" -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -m comment --comment "default rule added by HBFW tool" -j ACCEPT
-A INPUT -m comment --comment "HBFW tool chain used for accepting sigtran traffic " -j LAN_TRAFFIC
-A INPUT -f -m comment --comment "default rule added by HBFW tool" -j ACCEPT
-A INPUT -p esp -m comment --comment "default rule added by HBFW tool" -j ACCEPT
-A INPUT -p ah -m comment --comment "default rule added by HBFW tool" -j ACCEPT
-A INPUT -d 224.0.0.1/32 -m comment --comment "default rule added by HBFW tool" -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p udp -m udp --dport 123 -m comment --comment "ntp source address added by HBFW tool" -j ACCEPT
-A INPUT -d 1.2.3.0/22 -j LAN1
-A INPUT -d 1.2.3.0/25 -j LAN3
-A INPUT -m limit --limit 2/sec --limit-burst 10 -j NFLOG --nflog-prefix "INPUT" --nflog-group 1
-A FORWARD -m limit --limit 2/sec --limit-burst 10 -j NFLOG --nflog-prefix "FORWARD" --nflog-group 1
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A LAN1 -d 1.2.4.2/32 -j LAN2
-A LAN1 -m limit --limit 2/sec --limit-burst 10 -j NFLOG --nflog-prefix "LAN1" --nflog-group 1
-A LAN1 -j DROP
-A LAN2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LAN3 -d 1.2.3.2/32 -j LAN4
-A LAN3 -m limit --limit 2/sec --limit-burst 10 -j NFLOG --nflog-prefix "LAN3" --nflog-group 1
-A LAN3 -j DROP
-A LAN4 -m state --state RELATED,ESTABLISHED -j ACCEPT
|