On Thu, 17 Feb 2022 11:25:15 +0300 Evgeniy Berdnikov via Exim-users wrote: > On Thu, Feb 17, 2022 at 02:01:49PM +0900, Christian Balzer via Exim-users > wrote > > If found it excruciatingly hard to correlate tcpdump and nf_conntrack > > flows, > > These data can be related via timestamps, they may be enabled for > conntrack output: > > conntrack -o timestamp,ktimestamp -E ... > > Note that timestamping for kernel module should be enabled via option > net.netfilter.nf_conntrack_timestamp (read man conntrack for details). > Thanks for that info!
> > but those ICMP6 destination unreachable packets are the result of > > the local iptables rejecting a connection to port 43922 (the originating > > outbound SMTP session from here), something it allowed for the first 2 > > seconds just fine. > > > > The: > > --- > > -A INPUT -p icmpv6 -j ACCEPT > > -A INPUT -i bond+ -m state --state ESTABLISHED,RELATED -j ACCEPT > > --- > > No rejection rules here. Look for your iptables rules to find sources > of rejection, then insert logging rules to debug. > I was only quoting the relevant rules, as in "with that it should work" (and it does for everybody else). Of course there was/is reject at the end: --- -A INPUT -i bond+ -p tcp -m tcp --dport 465 -j ACCEPT -A INPUT -i bond+ -p tcp -m tcp --dport 587 -j ACCEPT -A INPUT -i bond+ -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i bond+ -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A INPUT -i bond+ -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i bond+ -j LOG -A INPUT -i bond+ -j REJECT --- And plenty of rejects in the kernel log, which is how I how found out about this in the first place. Regards, Christian -- Christian Balzer Network/Systems Engineer [email protected] Rakuten Communications -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
