[arch-general] iptables not working well?
Javier Vasquez
j.e.vasquez.v at gmail.com
Tue Jul 12 00:07:24 EDT 2011
On Mon, Jul 11, 2011 at 9:52 PM, Javier Vasquez <j.e.vasquez.v at gmail.com> wrote:
> On Sun, Jul 10, 2011 at 6:35 PM, Robert Marmorstein <rmmarm at sdf.org> wrote:
>> ...
>>
>> It might help you to LOG packets that are REJECTED. Then if you continue to
>> have issues, you should be able to see more directly what's going on.
>>
>> To do that, add rules like directly before the ones with -J REJECT:
>>
>> iptables -A INPUT -j LOG -m limit --limit 3/minute
>> iptables -A FORWARD -j LOG -m limit --limit 3/minute
>>
>> Then you should look in /var/log/messages or /var/log/syslog (depending on
>> which logger you have installed) to see which packets are being dropped.
>>
>> You probably don't want these rules enabled all the time -- the log files
>> can get pretty big quickly -- but they are very helpful for debugging.
>>
>> If you continue to have issues, posting the LOG messages would help us know
>> more about what's going on.
>>
>> Robert
>
> Hi Robert, I tried the loging rules, but they didn't work as proposed:
>
> % sudo iptables -A INPUT -j LOG -m limit --limit 3/minute
> Password:
> iptables: Invalid argument. Run `dmesg' for more information.
>
> % sudo iptables -A FORWARD -j LOG -m limit --limit 3/minute
> iptables: Invalid argument. Run `dmesg' for more information.
>
> What dmesg shows is:
>
> x_tables: ip_tables: limit.0 match: invalid size 40 (kernel) != (user) 48
> x_tables: ip_tables: limit.0 match: invalid size 40 (kernel) != (user) 48
>
> I didn't find anything under:
>
> /var/log/messages.log
> /var/log/syslog.log
>
> The dmesg messages come from:
>
> /var/log/kernel.log
>
> Not sure if that helps any way to get some light, :-)
>
> Thanks,
>
> --
> Javier.
>
Translation of:
http://bbs.lemote.com/archiver/?tid-51375.html
Seems to indicate not to be an issue:
http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=auto&tl=en&u=http%3A%2F%2Fbbs.lemote.com%2Farchiver%2F%3Ftid-51375.html
Perhaps I'll have to try tcpdump as suggested, :-)
--
Javier.
More information about the arch-general
mailing list