I want to test some network performance, where I need to use a tcp client to connect to a tcp server program on the same host, so I used localhost(127.0.0.1) however, when the TCP SYN is sent, it get an RESET
12:04:27.550292 IP localhost.55047 > localhost.54000: Flags [S], seq 1451460422, win 43690, options [mss 65495,sackOK,TS val 2409691925 ecr 0,nop,wscale 7], length 0
12:04:27.550319 IP localhost.54000 > localhost.55047: Flags [R.], seq 0, ack 1451460423, win 0, length 0I think the issue is the iptables rules.
from iptables-restorefor INPUT, I have
-A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i em1 -p tcp -m tcp --dport 54000 -j ACCEPT -A INPUT -i em1 -p tcp -m tcp --dport 51000 -j ACCEPT -A INPUT -i em1 -p tcp -m tcp --dport 30000 -j ACCEPT -A INPUT -i em1 -p tcp -m tcp --dport 54001 -j ACCEPT -A INPUT -i em1 -p tcp -m tcp --dport 30001 -j ACCEPT -A INPUT -i em1 -p udp -m udp --dport 54000 -j ACCEPT -A INPUT -i em1 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i em1 -p udp -m udp --dport 5000 -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONESthe related line is
-A INPUT -i lo -j ACCEPTfrom iptables --list, I have
in INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:54000 ACCEPT tcp -- anywhere anywhere tcp dpt:51000 ACCEPT tcp -- anywhere anywhere tcp dpt:30000 ACCEPT tcp -- anywhere anywhere tcp dpt:54001 ACCEPT tcp -- anywhere anywhere tcp dpt:pago-services1 ACCEPT udp -- anywhere anywhere udp dpt:54000 ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:commplex-main INPUT_direct all -- anywhere anywhere there is no network interface involved (BTW, for this line: ACCEPT all -- anywhere anywhere, what does it mean? it accept all protocol and all ports? )
so what can I modify to allow any traffic related to loopback interface lo?
thanks!
1 Answer
About your second question, give a try to this command:
iptables -L -v-L is equivalent to --list and -v gives you a more verbose output and will display the interface concerned by your rule.
P.S. : I know it is a old post but this answer would helped me 2 days ago so ...
