You are not logged in.

Pages: 1

#1 2016-04-22 10:39:33

mark8686
Banned
Registered: 2016-04-22
Posts: 1

Why is netfilter blocking this?

I'm sure there's an obvious answer to this that I'm missing.

192.168.99.1 and 192.168.99.2 are both physically separate systems on the network.

The output below is from an Arch LXC container running on an Arch host.

Running netcap on the host I can see that the ping reply is coming in from 192.168.99.1 but appears to be blocked by iptables/netfilter in the LXC container.


[root@deluge ~]# iptables -nvL
Chain INPUT (policy DROP 1714 packets, 664K bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   504 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1290 78356 ACCEPT     all  --  *      *       192.168.99.0/24      0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 190 packets, 9792 bytes)
 pkts bytes target     prot opt in     out     source               destination
  487 36855 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.99.0/24
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194



[root@deluge ~]# ping 192.168.99.1
PING 192.168.99.1 (192.168.99.1) 56(84) bytes of data.
^C
--- 192.168.99.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3007ms



[root@deluge ~]# ping 192.168.99.2
PING 192.168.99.2 (192.168.99.2) 56(84) bytes of data.
64 bytes from 192.168.99.2: icmp_seq=1 ttl=64 time=0.266 ms
64 bytes from 192.168.99.2: icmp_seq=2 ttl=64 time=0.260 ms
^C
--- 192.168.99.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.260/0.263/0.266/0.003 ms



[root@deluge ~]# systemctl stop iptables



[root@deluge ~]# ping 192.168.99.1
PING 192.168.99.1 (192.168.99.1) 56(84) bytes of data.
64 bytes from 192.168.99.1: icmp_seq=1 ttl=254 time=0.549 ms
64 bytes from 192.168.99.1: icmp_seq=2 ttl=254 time=0.585 ms
64 bytes from 192.168.99.1: icmp_seq=3 ttl=254 time=0.577 ms
64 bytes from 192.168.99.1: icmp_seq=4 ttl=254 time=0.614 ms
^C
--- 192.168.99.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.549/0.581/0.614/0.028 ms

Offline

#2 2016-04-22 15:49:15

JohnBobSmith
Member
From: Canada
Registered: 2014-11-29
Posts: 804

Re: Why is netfilter blocking this?

Well, the most obvious answer is that your iptables rules as configured incorrectly, thus blocking your connection(s). Unfortunately I don't use iptables, but the wiki should almost definitely have info on how to check and configure the rules.

I am diagnosed with bipolar disorder. As it turns out, what I thought was my greatest weakness is now my greatest strength.

Everyday, I make a conscious choice to overcome my challenges and my problems. It's not easy, but its better than the alternative...

Offline

#3 2016-04-22 18:31:03

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Why is netfilter blocking this?

Show the output of:

iptables-save

Why does everyone use iptables -L? It's just a management summary sad

Also, use logndrop for iptables debugging.

Last edited by brebs (2016-04-22 18:33:27)

Offline

Pages: 1

Board footer

Powered by FluxBB