Why IP tables is denying some explicitly specified as OK in rule?

by jQwierdy   Last Updated October 10, 2019 00:00 AM

I've got top rule:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
... other rules, non-involving tap777 ...
-A INPUT -i tap777 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i tap777 -p udp -m udp --dport 53 -j ACCEPT

And I'm seeing this in the logs:

Oct 25 04:09:43 ip-xxx-xx-xx-xxx 1 kernel: [ 1824.841222] iptables denied: IN=tap777 OUT= MAC=xx:xx:c6:93:91:bb:b8:ae:ed:7b:d1:83:08:xx SRC=10.20.1.141 DST=10.20.1.1 LEN=343 TOS=0x00 PREC=0x00 TTL=128 ID=4977 PROTO=UDP SPT=68 DPT=67 LEN=323 

To me it seems the denial is explicitly the same as the rule. Same dport, same proto, same in interface. So I only wonder if it has something to do with it not being the right chain?

sudo iptables -L gives:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
ACCEPT     udp  --  anywhere             anywhere             udp dpt:11900
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Could someone give me some insight into why this may be? Or something to try? Thanks!



Answers 2


LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "

Is throttling packets and denying hence the logs. Bring it to second last in input chain. It will start working for sure. Hope this helps! Please support and mark the answer as helped or answered if it did. Thanks :)

Anirudh Malhotra
Anirudh Malhotra
October 25, 2016 05:41 AM

iptables denied: is only a prefix for your log line you can change it to anything you like

Talal Al-Khalifa
Talal Al-Khalifa
October 09, 2019 23:55 PM

Related Questions


Updated December 13, 2015 14:00 PM

Updated December 13, 2017 18:00 PM

Updated February 11, 2018 19:00 PM

Updated August 10, 2015 19:00 PM

Updated February 20, 2017 01:00 AM