Bridge Problem ! don't understand anuthing !

07-14-2005, 03:27 PM

Hi

I've gat a problem that's outside my knowledge !
so I describe it to you :

I've get a linux gateway with 3 network iface : eth0 to the ethernet
adsl modem, eth1 to my network and ath0 is a Wireless card used as an
Access Point.

because I use linux-igd, I decide to create a bridge between the two LAN
iface in order to only deal with 2 iface !

so br0 is a bridge between eth0 and ath0.

I create iptables rules using br0 and eth1. those rules are simple :

Chain PREROUTING (policy ACCEPT)
target prot opt in out source destination
DROP all -- eth1 * 0.0.0.0/0 192.168.0.0/24
DROP all -- eth1 * 192.168.0.0/24 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target prot opt in out source destination
MASQUERADE all -- * eth1 192.168.0.0/24 0.0.0.0/0

Chain INPUT (policy DROP)
target prot opt in out source destination
INETIN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67

INETIN is my input filter for icmp and services (smtp http ...)
(unusefull to show it)

Chain FORWARD (policy DROP)
target prot opt in out source destination
ACCEPT all -- eth1 br0 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- br0 eth1 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- !eth1 !eth1 192.168.0.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt in out source destination
INETOUT all -- * eth1 0.0.0.0/0 0.0.0.0/0

INETOUT is my output filter for services

when using linux-igd, rules are adding to PREROUTING with target DNAT :

target prot opt in out source destination
DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5662
to:192.168.0.2:5662
DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5672
to:192.168.0.2:5672

so everything look nice ! but if a dump packet on eth1, I can see this :

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:24:06.232072 IP 209.67.220.58.42895 > <my public ip>.5662: S
2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646790852
0,nop,wscale 0>
17:24:06.232757 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:24:09.047839 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:24:09.224100 IP 209.67.220.58.42895 > <my public ip>.5662: S
2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646791152
0,nop,wscale 0>
17:24:09.224407 IP <my public ip>.5662 > 209.67.220.58.42895: . ack
2699075761 win 65535 <nop,nop,timestamp 243533 646790852>
17:24:15.032186 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:24:15.222856 IP 209.67.220.58.42895 > <my public ip>.5662: S
2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646791752
0,nop,wscale 0>

we can see that packet from LAN to NET are not NATing !!!
please help I'don't understand !

Buzzer

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Under attack ... or not ? Trying to understand.	Peter	Network Routers	0	07-20-2008 03:04 PM
I don't understand that!	Harry Bloomfield	Broadband	4	10-28-2007 04:17 PM
Problem to understand the meaning of a log of ShoreWall	didou	Linux Networking	4	12-16-2005 10:30 PM
I understand what SSL is but what exactly is SSL/TLS?	Spin	Windows Networking	2	12-02-2005 08:58 PM
Trying to understand FTP	Paul	Linux Networking	2	04-29-2004 07:53 AM