RE: state ESTABLISHED,RELATED ignored within a bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 Hello Rob,

 I thought I would have to use ebtables but this config USED TO WORK on an older linux config.
 
 So, why is it not working now ? 
 Has something happened to the handling of bridge interface between 2.4 and 2.6 or iptables version ?
 
 Stéphane

-----Message d'origine-----
De : netfilter-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx]De la part de Rob
Sterenborg
Envoyé : jeudi 5 janvier 2006 18:05
À : netfilter@xxxxxxxxxxxxxxxxxxx
Objet : RE: state ESTABLISHED,RELATED ignored within a bridge


>  Hello all,
> 
>  when I use a rule :
>    $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> $IPTABLES -A INPUT -j DROP 
> 
>  The server cannot ping or telnet any other host !
> 
>  My interfaces config :
>    ifconfig eth0 0.0.0.0 promisc
>    ifconfig eth1 0.0.0.0 promisc
>    brctl addbr br0
>    brctl addif br0 eth0
>    brctl addif br0 eth1
>    ifconfig br0 10.0.0.8 netmask 255.255.240.0 up
> 
>  Firewall rules :
>    echo "1" > /proc/sys/net/ipv4/ip_forward
>    IPTABLES='/sbin/iptables'
>    $IPTABLES -F
>    $IPTABLES -X
>    $IPTABLES -A INPUT -p tcp -d 10.0.0.8 --dport 22 -j ACCEPT
>    $IPTABLES -A INPUT -d 10.0.0.8   -m state --state
> RELATED,ESTABLISHED -j ACCEPT (1) $IPTABLES -A INPUT -d 10.0.0.8   -m
> state --state INVALID -j DROP (2) $IPTABLES -A INPUT  -j DROP
> 
>  This machine is to be a bridge shaping traffic.
>  It does its job OK  but if I include the line (1) or (2) the
> machine cannot contact anyother !
> 
>  I did :  $IPTABLES -A INPUT -i lo -j ACCEPT
>  and even : $IPTABLES -A INPUT -s 10.0.0.8 -j ACCEPT  But not to
> avail. 
> 
>  I guess something is going wrong with the DROP instruction.
> 
>  My config is a Fedora Core 4 with kernel version
> 2.6.11-1.1369_FC4. Iptables version : 1.3.0
>  This script used to work fine with an old redhat, kernel was 2.4.18.
> 
>  Is there a patch to apply to the kernel ? Is this a known bug ?
>  I saw some already have this knid of problem but I did not
> found any answer.

I've never used bridging, but it seems to me you are trying to use it
without bridge-rules.
IMO you need ebtables for this. http://ebtables.sourceforge.net


Gr,
Rob
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux