This is my situation:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
master br0 state UP qlen 1000
link/ether f0:4d:a2:ea:98:3b brd ff:ff:ff:ff:ff:ff
inet6 fe80::f24d:a2ff:feea:983b/64 scope link
valid_lft forever preferred_lft forever
3: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether f0:4d:a2:ea:98:3b brd ff:ff:ff:ff:ff:ff
inet 10.15.12.31/20 brd 10.15.15.255 scope global br0
inet 10.35.1.1/24 scope global br0
inet6 fe80::f24d:a2ff:feea:983b/64 scope link
valid_lft forever preferred_lft forever
# ip r
default via 10.15.1.1 dev br0 metric 203
10.15.0.0/20 dev br0 proto kernel scope link src 10.15.12.31 metric 203
10.35.1.0/24 dev br0 proto kernel scope link src 10.35.1.1
Kernel version is 3.5.3. IP forwarding is enabled. iptables ruleset is
as follows:
# iptables-save
# Generated by iptables-save v1.4.15 on Mon Sep 3 15:39:08 2012
*nat
:PREROUTING ACCEPT [8648:2385567]
:INPUT ACCEPT [2470:347871]
:OUTPUT ACCEPT [199:13134]
:POSTROUTING ACCEPT [201:13441]
-A POSTROUTING -s 10.35.1.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Sep 3 15:39:08 2012
# Generated by iptables-save v1.4.15 on Mon Sep 3 15:39:08 2012
*filter
:INPUT ACCEPT [160957:46446065]
:FORWARD ACCEPT [768:64512]
:OUTPUT ACCEPT [53976:17902101]
COMMIT
# Completed on Mon Sep 3 15:39:08 2012
Now I have a device (a NAS) on the same L2 network that has IP address
10.35.1.10/24, and is using 10.35.1.1 (ie the above machine) as its
default gateway. I want to provide Internet access to that device
through my machine. I thought that the above configuration would
already work, however the NAS does not get connectivity. On my
machine, I see incoming traffic from the NAS being NATed and forwarded
to 10.15.1.1 correctly, I see return traffic coming back entering my
eth0, where it just disappears. On br0 I see no return traffic.
However, doing this makes the NAS work:
# echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
(it was 1 before) I don't see how this matters, since my iptables
ruleset has no blocking rule whatsoever, so why would calling iptables
cause packets to be dropped? Perhaps I don't fully understand exactly
what that option does. However setting it to 0 definitely makes it
work.
Alternatively, leaving it at 1, but putting the br0 interface in
promiscuous mode (eg by running tcpdump), again makes it work and the
NAS can send and receive internet traffic.
I don't understand what's going on here. Do you have any hints?
Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
