[arch-general] iptables not working well?
Javier Vasquez
j.e.vasquez.v at gmail.com
Mon Jul 11 23:52:31 EDT 2011
On Sun, Jul 10, 2011 at 6:35 PM, Robert Marmorstein <rmmarm at sdf.org> wrote:
> ...
>
> It might help you to LOG packets that are REJECTED. Then if you continue to
> have issues, you should be able to see more directly what's going on.
>
> To do that, add rules like directly before the ones with -J REJECT:
>
> iptables -A INPUT -j LOG -m limit --limit 3/minute
> iptables -A FORWARD -j LOG -m limit --limit 3/minute
>
> Then you should look in /var/log/messages or /var/log/syslog (depending on
> which logger you have installed) to see which packets are being dropped.
>
> You probably don't want these rules enabled all the time -- the log files
> can get pretty big quickly -- but they are very helpful for debugging.
>
> If you continue to have issues, posting the LOG messages would help us know
> more about what's going on.
>
> Robert
Hi Robert, I tried the loging rules, but they didn't work as proposed:
% sudo iptables -A INPUT -j LOG -m limit --limit 3/minute
Password:
iptables: Invalid argument. Run `dmesg' for more information.
% sudo iptables -A FORWARD -j LOG -m limit --limit 3/minute
iptables: Invalid argument. Run `dmesg' for more information.
What dmesg shows is:
x_tables: ip_tables: limit.0 match: invalid size 40 (kernel) != (user) 48
x_tables: ip_tables: limit.0 match: invalid size 40 (kernel) != (user) 48
I didn't find anything under:
/var/log/messages.log
/var/log/syslog.log
The dmesg messages come from:
/var/log/kernel.log
Not sure if that helps any way to get some light, :-)
Thanks,
--
Javier.
More information about the arch-general
mailing list