[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] potential iptables bug [was Re: sanity check]

Subject: [ale] potential iptables bug [was Re: sanity check]
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Mon Dec 3 19:15:42 2007
In-reply-to: <[email protected]> (James P. Kinney, III's message of "Mon\, 03 Dec 2007 17\:30\:13 -0500")
References: <[email protected]>

On Mon 2007-12-03 17:30:13 -0500, James P. Kinney III wrote:

> So the bug appears to be in the DNAT mapping that is supposed to only
> change the destination IP but appears to also change the source IP.
>
> This failure occurs for ssh and mail and http. All internal machines
> report all incoming traffic and originating from the firewall and not
> From the real source.

can you show the output of:

 iptables -vnL

 iptables -t nat -vnL

on the firewall?  (if you feel the need to anonymize IP addresses,
that's fine, but please keep them distinct from one another --
i.e. don't rewrite 1.2.3.4 as X.X.X.X if you've already written
5.6.7.8 as X.X.X.X)

thanks,

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available

Follow-Ups:
- [ale] potential iptables bug [was Re: sanity check]
  - From: jkinney at localnetsolutions.com (James P. Kinney III)

References:
- [ale] sanity check
  - From: jkinney at localnetsolutions.com (James P. Kinney III)

Prev by Date: [ale] OT - DVD player NTSC/PAL Region Free
Next by Date: [ale] VMWare and disk usage?
Previous by thread: [ale] sanity check
Next by thread: [ale] potential iptables bug [was Re: sanity check]
Index(es):
- Date
- Thread