[lug] netfilter strangeness

David Anselmi anselmi at anselmi.us
Mon May 30 10:21:33 MDT 2005


Daniel Webb wrote:
> I've been learning how to do iptables filtering along with shaping using tc on
> a Linksys WRT54G.  

That's cool, but why?  Might make an interesting LUG talk.

[...]
> root at webb:~# iptables -L -t mangle -v -n
> Chain PREROUTING (policy ACCEPT 10590 packets, 9383K bytes)
>  pkts bytes target     prot opt in     out     source         destination
> 10281 9254K MARK       all  --  eth1   *       192.168.0.0/24 192.168.0.0/24      MARK set 0x5
> 10280 9254K RETURN     all  --  eth1   *       192.168.0.0/24 192.168.0.0/24
> 
> <snip>
> 
> Chain POSTROUTING (policy ACCEPT 309 packets, 40749 bytes)
>  pkts bytes target     prot opt in     out     source         destination
>   117 10732 MARK       all  --  *      eth1    192.168.0.0/24 192.168.0.0/24      MARK set 0x5
>   117 10732 RETURN     all  --  *      eth1    192.168.0.0/24 192.168.0.0/24
> 
> This was after a reboot followed by a file transfer from one machine on the
> lan to another.  Now, I'm no netfilter expert, but shouldn't the POSTROUTING
> ACCEPT counter be as high as the PREROUTING ACCEPT counter?

No.  You're looking at packets coming in eth1 vs. going out eth1--why 
should they be the same?  You see that the incoming packets are around 
900B on average while the outgoing packets are around 90B.  So that 
looks like the file transfer is coming from a machine hooked to eth1 
(big data packets coming in, small acks going out).  Naturally the data 
packets go out the interface hooked to the receiving machine.

I wonder how the LAN ports are wired?  Does each show up as a different 
interface?  Seems like they do so you must have some bridging going on. 
  That seems to complicate the tables and chains that the packets traverse.

Be interesting to poke around inside one of these.

Dave



More information about the LUG mailing list