On 10/28/07, Gabriel Gunderson <[EMAIL PROTECTED]> wrote: > On Sun, 2007-10-28 at 17:16 -0600, Hans Fugal wrote: > > On Sat, 27 Oct 2007 at 15:18 -0600, Kenneth Burgener wrote: > > > As I mentioned I am fronting iptables with shorewall (to make the > > > configuration easier). > > > > There's your first mistake. I'm in the minority I think, but IMHO > > shorewall and friends are more trouble than they're worth. This > > problem serves as a case in point. > > In general, I agree with this. But whatever you use, make sure iptables > has a debugging mode where everything is logged before dropped. It's > likely you will be able to look at your logs, see what is being dropped, > and make changes to fix it.
I'd like to point out that what Gabe suggest is good, but only for a temporary *troubleshooting* or validation that rule actually works. The logging that iptables does is *very* verbose. Do one LOG rule at a time is my motto. Might I suggest another couple switches to iptables that might help you further. iptables -Z INPUT (or whatever chain you want to look at) watch iptables -vL --line-numbers I generally run these two commands together on one line and then try my actions. Sure you'll get some packets elsewhere, but you really only care about your line. If its not working, you now have the line-numbers option on and it can help you to delete the rule... Cheers, Clint /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
