Modify

Opened 9 years ago

Closed 8 years ago

Last modified 4 years ago

#4723 closed defect (obsolete)

r13788 fix_mtu broken if using "option include"

Reported by: Weedy <weedy2887@…> Owned by: developers
Priority: high Milestone: Barrier Breaker 14.07
Component: base system Version:
Keywords: r13788 fix_mtu option include Cc:

Description

I have sympatico dsl and as such need fix_mtu. I have been trying to track down why after a update to HEAD my incoming ssh connections were dropped when ever a large amount of data was sent (ie: full packet). which lead me to r13788, because I'm using SNAT and the forward chain is not covered anymore my rules fail whenever a large packet was sent. I also tried forwarding ssh with the example redirect rule, same outcome.

If I could do the following within the current framework I could stop using include.

# match connections already seen >3 times and DROP, otherwise DNAT
iptables -t nat -A prerouting_rule -d $IP -p tcp --dport 22 -m state --state NEW -m recent --name ATTACKER_SSH --rsource --update --seconds 180 --hitcount 3 -j DROP
iptables -t nat -A prerouting_rule -d $IP -p tcp --dport 22 -m state --state NEW -m recent --name ATTACKER_SSH --rsource --set
#192.168.8.102
iptables -t nat -A prerouting_rule -d $IP -p tcp -m multiport --dports 22,80,443,993 -j DNAT --to 192.168.8.102
iptables        -A forwarding_rule        -p tcp -m multiport --dports 22,80,443,993 -d 192.168.8.102 -j ACCEPT
iptables -t nat -A postrouting_rule -o $LAN -p tcp -s 192.168.8.0/24 -d 192.168.8.102 -m multiport --dports 22,80,443,993 -j SNAT --to-source 192.168.8.1

Attachments (0)

Change History (2)

comment:1 Changed 8 years ago by nbd

  • Resolution set to obsolete
  • Status changed from new to closed

should have been fixed in r17762

comment:2 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.