Bridge Problem ! don't understand anuthing !

Discussion in 'Linux Networking' started by buzzer, Jul 14, 2005.

  1. buzzer

    buzzer Guest

    Hi

    I've gat a problem that's outside my knowledge !
    so I describe it to you :

    I've get a linux gateway with 3 network iface : eth0 to the ethernet
    adsl modem, eth1 to my network and ath0 is a Wireless card used as an
    Access Point.

    because I use linux-igd, I decide to create a bridge between the two LAN
    iface in order to only deal with 2 iface !

    so br0 is a bridge between eth0 and ath0.

    I create iptables rules using br0 and eth1. those rules are simple :

    Chain PREROUTING (policy ACCEPT)
    target prot opt in out source destination
    DROP all -- eth1 * 0.0.0.0/0 192.168.0.0/24
    DROP all -- eth1 * 192.168.0.0/24 0.0.0.0/0

    Chain POSTROUTING (policy ACCEPT)
    target prot opt in out source destination
    MASQUERADE all -- * eth1 192.168.0.0/24 0.0.0.0/0

    Chain INPUT (policy DROP)
    target prot opt in out source destination
    INETIN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
    ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67

    INETIN is my input filter for icmp and services (smtp http ...)
    (unusefull to show it)

    Chain FORWARD (policy DROP)
    target prot opt in out source destination
    ACCEPT all -- eth1 br0 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- br0 eth1 0.0.0.0/0 0.0.0.0/0
    ACCEPT all -- !eth1 !eth1 192.168.0.0/24 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt in out source destination
    INETOUT all -- * eth1 0.0.0.0/0 0.0.0.0/0

    INETOUT is my output filter for services

    when using linux-igd, rules are adding to PREROUTING with target DNAT :

    target prot opt in out source destination
    DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5662
    to:192.168.0.2:5662
    DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5672
    to:192.168.0.2:5672

    so everything look nice ! but if a dump packet on eth1, I can see this :

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
    17:24:06.232072 IP 209.67.220.58.42895 > <my public ip>.5662: S
    2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646790852
    0,nop,wscale 0>
    17:24:06.232757 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
    498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
    0,nop,nop,timestamp 0 0,nop,nop,sackOK>
    17:24:09.047839 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
    498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
    0,nop,nop,timestamp 0 0,nop,nop,sackOK>
    17:24:09.224100 IP 209.67.220.58.42895 > <my public ip>.5662: S
    2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646791152
    0,nop,wscale 0>
    17:24:09.224407 IP <my public ip>.5662 > 209.67.220.58.42895: . ack
    2699075761 win 65535 <nop,nop,timestamp 243533 646790852>
    17:24:15.032186 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
    498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
    0,nop,nop,timestamp 0 0,nop,nop,sackOK>
    17:24:15.222856 IP 209.67.220.58.42895 > <my public ip>.5662: S
    2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646791752
    0,nop,wscale 0>

    we can see that packet from LAN to NET are not NATing !!!
    please help I'don't understand !

    Buzzer
     
    buzzer, Jul 14, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.