I'm having issues with my iptables setup. I was trying to access some servers using their netbios names. The problem is that netbios name resolution isn't working. It works fine when I trun off my firewall.
Here's my iptables setup
iptables -nvL:
[code]
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 TCP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 ctstate NEW
0 0 UDP udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
[/code]
iptables-save:
[code]
# Generated by iptables-save v1.4.10 on Sat Jul 30 21:02:13 2011
*filter
:INPUT DROP [442:100997]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1130:238303]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
COMMIT
# Completed on Sat Jul 30 21:02:13 2011
[/code]
After a bit of troubleshooting. I found out that this line is the problem:
[code]-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [/code]
From what I get from the way netbios names are resolved the client sends a broadcast to the entire network and whoever has the name sends a responce. For some odd reason, the iptables rule doesn't want to accept the packets. The line above should accept all packets that are related or part of an already established connection.
How do I fix this?
Sorry, you need to Log In to post a reply to this thread.
