Strange iptables rules

[Jack Yaz]

Can anyone explain what these do for me please?

-A iptfromlan -o eth0 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun11 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A iptfromlan -o tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i eth0 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i tun11 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN
-A ipttolan -i tun21 -m account--aaddr 10.14.16.0/255.255.255.0 --aname lan  -j RETURN

 

[Jack Yaz]

....is it iptraffic and i'm being dense?

 

[ColinTaylor]

Yes, it's IPTraffic. Although I don't know why you have multiple entries for tun21.

 

[Jack Yaz]

probably me toggling the vpn server off and on, a bug maybe?

 

[sfx2000]

probably me toggling the vpn server off and on, a bug maybe?

probably due to you playing around with the VPN as the IP's are all 10-dots...

 

[RMerlin]

It's a limitation/bug in ipt_account, that kernel module fails to remove rules for some reason, as it's unable to locate the existing rule. Unfortunately its author disappeared a few years ago, and never returned my previous emails concerning bugs with the 2.6.36 kernel support (fortunately I was able to fix it myself back then).

admin@Stargate88:/tmp# iptables -D ipttolan -i tun12 -m account --aaddr 192.168.10.0/255.255.255.0 --aname lan -j RETURN
iptables: Bad rule (does a matching rule exist in that chain?).

Not being a Netfilter kernel code expert, fixing this is outside of my field of expertise. Plus, that old module is becoming increasingly useless, as it cannot handle IPv6 traffic at all, and due to the way it's designed, it never will either.

The issue is more cosmetic than anything (aside from a mostly un-measurable performance hit) , and restarting the firewall will clear up the chains.

service restart_firewall