On Wed, 2011-07-06 at 23:16 +0200, Alexander Wilms wrote: > Hi Tom, > > here it comes: > > horewall 4.4.20.3 Chain net2loc0 at fire - Mi 6. Jul 23:14:49 CEST 2011 > > Counters reset Mi 6. Jul 23:14:15 CEST 2011 > > Chain net2loc0 (1 references) > pkts bytes target prot opt in out source > destination > 260 61740 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > ctstate RELATED,ESTABLISHED > 0 0 ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0 > > 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmptype 8 /* Ping */ > 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > 192.168.1.2 tcp dpt:22 ctorigdstport 14027 ctorigdst 62.143.214.30
Although the original destination port was 52022, iptables is interpreting it as 14027. I have the same problem where port 8080 is being interpreted as 36895. Looks like the iptables code is missing a call to hton() since 8080 = 0x1f90 and 36895 = 0x901f. In your case, 52022 = 0xcb36 while 15027 = 0x36cb. Which iptables version are you running? The bug appears in iptables 1.4.11 but is absent in iptables 1.4.8. Probably in Jan's new guided option parser for ctstate. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
