Bug 50205 - iptables ignores --dport
Summary: iptables ignores --dport
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-07-28 00:49 UTC by Need Real Name
Modified: 2007-04-18 16:35 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2001-07-28 00:49:21 UTC


Attachments (Terms of Use)

Description Need Real Name 2001-07-28 00:49:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1)
Gecko/20010607 Netscape6/6.1b1

Description of problem:
iptables ignores pop3 and smtp port settings on --dport

How reproducible:
Always

Steps to Reproduce:
/sbin/iptables -A FORWARD -o eth1  -p tcp  -s pat.foo.com
       -d $MAIL_SRV --destination-port pop3  -j LOG
   /sbin/iptables -A FORWARD -o eth1  -p tcp  -s pat.foo.com
       -d $MAIL_SRV --destination-port pop3  -j REJECT
   /sbin/iptables -A FORWARD -o eth1  -p tcp  -s pat.foo.com
       -d $MAIL_SRV --destination-port smtp  -j LOG
   /sbin/iptables -A FORWARD -o eth1  -p tcp  -s pat.foo.com
       -d $MAIL_SRV --destination-port smtp  -j REJECT


	

Actual Results:   Chain FORWARD (policy DROP)
   target     prot opt source            destination
   LOG        tcp  --  Pat.foo.com         anywhere  tcp dpt:pop3 LOG 
level warning
   REJECT     tcp  --  Pat.foo.com         anywhere  tcp dpt:pop3 
reject-with icmp-port-unreachable
   LOG        tcp  --  Pat.foo.com         anywhere  tcp dpt:smtp LOG 
level warning
   REJECT     tcp  --  Pat.foo.com         anywhere  tcp dpt:smtp 
reject-with icmp-port-unreachable



Expected Results:   the destination should be the IP addres for $MAIL_SRV
not "anywhere".  Actual test with live packets confirmed the "anywhere"
problem.  No pop3 or smtp traffic was allowed out of Pat.foo.com to
anywhere


Additional info:

Reproducing this may require the entire firewall.  Please eMail me
if it is required and I will send it to you

Comment 1 Bernhard Rosenkraenzer 2001-07-30 12:58:08 UTC
Can't reproduce this in 1.2.2-3



Note You need to log in before you can comment on or make changes to this bug.