[BBLISA] Troubleshooting iptables/netfilter problems
John Miller
johnmill at brandeis.edu
Fri Feb 28 11:16:42 EST 2014
Hey there folks,
We're running into an issue with our LDAP servers where legitimate
packets are being intermittently (say 1/10000) rejected by iptables.
They match one of our ACCEPT rules, yet still get rejected (we're seeing
the return ICMP traffic).
I don't yet have any evidence to support this, but I'm thinking that
we're bumping up against some sort of internal netfilter limit--perhaps
with connection tracking or stateful matching.
The problem seems to have cropped up in moving from RHEL 5 to RHEL 6.
The rules in question:
What should be hit:
-A RH-Firewall-1-INPUT -s 129.64.0.0/255.255.0.0 -p tcp -m state --state
NEW -m tcp --dport 636 -j ACCEPT
What is actually being hit:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
Anyone run into this sort of problem before?
John
--
John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu
More information about the bblisa
mailing list