Control: tags -1 moreinfo
On Tue, 23 Apr 2019 20:08:27 +0800 "dongshe...@gmail.com"
wrote:
> Package: iptables
> Version: 1.6.1
> Severity: normal
>
> Dear Maintainers,
>
> We found a weird bug: `iptables -L` will fail to parse this specific IP
> range 140.113.0.0/16 . It's incorrectly marked as "not-a-legal-address."
>
> $ iptables --version
> iptables v1.6.1
> $ iptables -A INPUT -s 140.113.0.0/16 -p tcp -m tcp -j RETURN
> $ iptables -L INPUT
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> f2b-sshd tcp -- anywhere anywhere multiport
> dports ssh
> RETURN tcp -- not-a-legal-address/16 anywhere tcp
> $ iptables-save | grep 140.113
> -A INPUT -s 140.113.0.0/16 -p tcp -m tcp -j RETURN
>
> However, this is definitely a valid IP range. 140.113.0.0/16 is the valid
> IP range in National Chiao Tung University in Taiwan. By the way, although
> it's incorrectly parsed, the rule still seems to work properly.
>
> Please let me know if you need other information. Thank you.
>
> Sincerely,
> bookgin
Hi bookgin,
By default, iptables does a reverse DNS lookup and 140.133.0.0 has a
reverse DNS entry with the literal value "not-a-legal-address".
"""
$ nslookup 140.113.0.0
Server: 127.0.0.1
Address:127.0.0.1#53
Non-authoritative answer:
0.0.113.140.in-addr.arpaname = not-a-legal-address.
Authoritative answers can be found from:
0.113.140.in-addr.arpa nameserver = ns.NCTU.edu.tw.
0.113.140.in-addr.arpa nameserver = ns2.NCTU.edu.tw.
"""
So I am pretty sure it is "working as intended". If you want to disable
the reverse DNS lookup, please use "-n" (e.g. "iptables -L -n"). In
this case you should see that iptables uses the CIDR address that you
expect.
Thanks,
~Niels
