Re: iptables not possible to respond on request which comes from ebtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le 15/07/2016 à 23:31, marko.rakamaric@xxxxxxxxx a écrit :


Here are iptable INPUT  logs:
IPTIN=eth1 OUT= MAC=14:ea:31:1e:00:e1:20:1c:8a:b2:ef:85:08:00 SRC=192.168.1.44 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21871 DF PROTO=ICMP TYPE=8 CODE=0 ID=4104 SEQ=12
IPTIN=eth1 OUT= MAC=14:ea:31:1e:00:e1:20:1c:8a:b2:ef:85:08:00 SRC=192.168.1.44 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21959 DF PROTO=ICMP TYPE=8 CODE=0 ID=4104 SEQ=13
IPTIN=eth1 OUT= MAC=14:ea:31:1e:00:e1:20:1c:8a:b2:ef:85:08:00 SRC=192.168.1.44 DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21984 DF PROTO=ICMP TYPE=8 CODE=0 ID=4104 SEQ=14

Here are iptable OUTPUT logs:
IPTIN= OUT=br0 SRC=192.168.1.1 DST=192.168.1.44 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=62294 PROTO=ICMP TYPE=0 CODE=0 ID=29857 SEQ=481
IPTIN= OUT=br0 SRC=192.168.1.1 DST=192.168.1.44 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=62378 PROTO=ICMP TYPE=0 CODE=0 ID=29857 SEQ=482
IPTIN= OUT=br0 SRC=192.168.1.1 DST=192.168.1.44 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=62462 PROTO=ICMP TYPE=0 CODE=0 ID=29857 SEQ=483
These INPUT and OUTPUT logs don't match. The ICMP ID and sequence numbers are different. So I guess they were captured at different times. 


# broute BROUTING (ACCEPT):
ebtables -t broute -A BROUTING -p IPv4 --logical-in br0 --ip-dst 192.168.1.1 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -p ARP --logical-in br0 --arp-ip-dst 192.168.1.1 -j redirect --redirect-target DROP


May I ask what is the purpose of this strange setup ?
If the original destination is the bridging box itself, then you don't need to do all this mangling. 


iptables:
# INPUT (ACCEPT-only for testing)
iptables -I INPUT -i br0 -d 192.168.1.1 -j ACCEPT
Note that the broute target causes the input interface to be the bridge port (eth1) instead of the bridge (br0), as can be seen in the INPUT log. 
So you must accept packets on this interface too.
Also you may need to check that /proc/sys/ipv4/conf/eth1/rp_filter is set to 0 to disable source address validation which expects packets from 192.168.1.44 to be received on br0, not eth1 (iptables does not know about bridging). 
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux