On Wed, Dec 20, 2006 at 10:01:11AM +1100, Howard Lowndes wrote: > > > Howard Lowndes wrote: > > > > > >Alex Samad wrote: > >>On Tue, Dec 19, 2006 at 02:17:54PM +1100, Howard Lowndes wrote: > >>>I have a number of iptables rules on my border ppp0 connection that > >>>are designed to collect traffic stats. > >>> > >>>One of the rules looks for inbound IPIP (protocol 4) traffic. > >>> > >>>The counters for this rule should not be changing as there should be > >>>no inbound IPIP traffic, but they are, but when I do a tcpdump on the > >>>ppp0 interface specifically looking for protocol 4 - nothing. > >>> > >>>Here is the rule: > >>># iptables -L wanacctin -vnx > >>>Chain wanacctin (2 references) > >>> pkts bytes target prot opt in out source > >>>destination > >>> 126052 42815767 RETURN 4 -- * * 0.0.0.0/0 > >>>0.0.0.0/0 > >> > >>why not add a log statement before > > > >I will do. It's just that I would have expected tcpdump to have found it. > > I followed up on this suggestion and have identified where the IPIP > traffic is coming from and it is sone of my client sites that I can > access so I have put log statements into the iptables rules at both ends > and bingo - there is the traffic - except that, even though I have the > rule in the INPUT OUTPUT and FORWARD chains, it is only logging from the > INPUT chain in all cases and is in both directions, from me to them and > from them to me. I have yet to identify what is running that could be > generating this IPIP traffic, that is the next mystery because I gave up > using IPIP tunnelling in favour of IPSec tunnelling a long time ago.
have you tried ip tu, I would presume if the ipip is terminating on your box that is why you are not seeing it in FORWARD, not exactly sure about the OUTPUT table do you have an allow established, related at the top of your tables, all but the initial packets will be captured here. You could always block the traffic and see what breaks alex > > > > > >> > >>>and here are the rules that call this chain: > >>># iptables -L INPUT -vnx |grep -e bytes -e wanacctin > >>>Chain INPUT (policy DROP 639 packets, 44355 bytes) > >>> pkts bytes target prot opt in out source > >>>destination > >>> 4600933 2224764386 wanacctin all -- ppp0 * 0.0.0.0/0 > >>>0.0.0.0/0 > >>> > >>>and: > >>># iptables -L FORWARD -vnx |grep -e bytes -e wanacctin > >>>Chain FORWARD (policy DROP 917 packets, 68087 bytes) > >>> pkts bytes target prot opt in out source > >>>destination > >>> 7248300 880565184 wanacctin all -- ppp0 * 0.0.0.0/0 > >>>0.0.0.0/0 > >>> > >>> > >>>Weird... > >>> > >>> > >>> > >>>-- > >>>Howard. > >>>LANNet Computing Associates - Your Linux people <http://lannetlinux.com> > >>>When you want a computer system that works, just choose Linux; > >>>When you want a computer system that works, just, choose Microsoft. > >>>-- > >>>Flatter government, not fatter government; abolish the Australian > >>>states. > >>> > >>>-- > >>>SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > >>>Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > >>> > > > > -- > Howard. > LANNet Computing Associates - Your Linux people <http://lannetlinux.com> > When you want a computer system that works, just choose Linux; > When you want a computer system that works, just, choose Microsoft. > -- > Flatter government, not fatter government; abolish the Australian states. > > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
