Iptables not working with RH9

Iptables not working with RH9

[Derek Storvik]

Hello all
  Hopefully someone can see my error.   
I have been running RH7.3 with it's standard kernal version 2.4.18-3 for several months configured as a transparent bridging firewall. We recently purchased a new machine and wanted to install RH9 with its standard kernal 2.4.20( i think)I followed the same steps installed with iptables and bridging utils and used my same script file to setup the bridge with two nics and fill in all my rules. This didn't seem to work right and on further testing realized NOTHING was being filtered. I then rebooted and manualy set up the bridge and cleared all the tables and set the default policy to drop. SO at this point nothing should get through. Well it bridges everything, and the counters in iptables do not increment. The system acts as if it is not there what so ever.

here is the setup after the basic minimal install
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth1 0.0.0.0 promisc
ifconfig eth0 0.0.0.0 promisc
#bring up bridge with either of the next two commands
ifconfig br0 up
ip link set br0 up
#both do the same thing  namely nothing
iptables -X
iptables -F
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

This setup happily bridges packets right on through with no updates to the iptables counters.

I have been experimenting with devil linux as well recently and it exhibits the same problem. 

ip_forwarding is set to 0  as it has been on my working rh7.3 machine I tried setting it to 1 but that didn't help the problems. Im not 100% sure what exactl the ip_forwarding property corresponds to anyway.

any help would be greatly appreciated!
   Thanks
         Derek

Re: Iptables not working with RH9

[Scott MacKay]

Did you add on the iptables hook for bridging and
activate all the proper configuration settings?
I has a similar problem with 2.4.22 (under RH9)
because I forgot to  menuconfig and add in the proper
settings.

--- Derek Storvik <dstorvik@pf.ueo.ohio-state.edu>
wrote:
> Hello all
>   Hopefully someone can see my error.   
> I have been running RH7.3 with it's standard kernal
> version 2.4.18-3 for several months configured as a
> transparent bridging firewall. We recently purchased
> a new machine and wanted to install RH9 with its
> standard kernal 2.4.20( i think)I followed the same
> steps installed with iptables and bridging utils and
> used my same script file to setup the bridge with
> two nics and fill in all my rules. This didn't seem
> to work right and on further testing realized
> NOTHING was being filtered. I then rebooted and
> manualy set up the bridge and cleared all the tables
> and set the default policy to drop. SO at this point
> nothing should get through. Well it bridges
> everything, and the counters in iptables do not
> increment. The system acts as if it is not there
> what so ever.
> 
> here is the setup after the basic minimal install
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig eth1 0.0.0.0 promisc
> ifconfig eth0 0.0.0.0 promisc
> #bring up bridge with either of the next two
> commands
> ifconfig br0 up
> ip link set br0 up
> #both do the same thing  namely nothing
> iptables -X
> iptables -F
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> 
> This setup happily bridges packets right on through
> with no updates to the iptables counters.
> 
> I have been experimenting with devil linux as well
> recently and it exhibits the same problem. 
> 
> ip_forwarding is set to 0  as it has been on my
> working rh7.3 machine I tried setting it to 1 but
> that didn't help the problems. Im not 100% sure what
> exactl the ip_forwarding property corresponds to
> anyway.
> 
> any help would be greatly appreciated!
>    Thanks
>          Derek
> 
> 


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/

Re: Iptables not working with RH9

[Derek Storvik]

I have not custom compiled the kernel. I was first using rh7.3 and it works straight out of the box.   I assumed that they would not have taken that code back out of the precompiled kernel but i suppose they could have

Derek 

>>> Scott MacKay <scottmackay@yahoo.com> 11/20/03 11:17AM >>>
Did you add on the iptables hook for bridging and
activate all the proper configuration settings?
I has a similar problem with 2.4.22 (under RH9)
because I forgot to  menuconfig and add in the proper
settings.

--- Derek Storvik <dstorvik@pf.ueo.ohio-state.edu>
wrote:
> Hello all
>   Hopefully someone can see my error.   
> I have been running RH7.3 with it's standard kernal
> version 2.4.18-3 for several months configured as a
> transparent bridging firewall. We recently purchased
> a new machine and wanted to install RH9 with its
> standard kernal 2.4.20( i think)I followed the same
> steps installed with iptables and bridging utils and
> used my same script file to setup the bridge with
> two nics and fill in all my rules. This didn't seem
> to work right and on further testing realized
> NOTHING was being filtered. I then rebooted and
> manualy set up the bridge and cleared all the tables
> and set the default policy to drop. SO at this point
> nothing should get through. Well it bridges
> everything, and the counters in iptables do not
> increment. The system acts as if it is not there
> what so ever.
> 
> here is the setup after the basic minimal install
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig eth1 0.0.0.0 promisc
> ifconfig eth0 0.0.0.0 promisc
> #bring up bridge with either of the next two
> commands
> ifconfig br0 up
> ip link set br0 up
> #both do the same thing  namely nothing
> iptables -X
> iptables -F
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> 
> This setup happily bridges packets right on through
> with no updates to the iptables counters.
> 
> I have been experimenting with devil linux as well
> recently and it exhibits the same problem. 
> 
> ip_forwarding is set to 0  as it has been on my
> working rh7.3 machine I tried setting it to 1 but
> that didn't help the problems. Im not 100% sure what
> exactl the ip_forwarding property corresponds to
> anyway.
> 
> any help would be greatly appreciated!
>    Thanks
>          Derek
> 
> 


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/ 

Re: Iptables not working with RH9

[Ramin Dousti]

I have no experience with bridging code on linux but one thing comes to mind
about your setup. A bridge acts at layer 2. Netfilter is hooked into the IP
layer (layer 3). So when you're bridging, I'd say, it's normal that the drop
policy has no effect... Or I may be wrong...

Ramin

On Thu, Nov 20, 2003 at 10:54:41AM -0500, Derek Storvik wrote:

> Hello all
>   Hopefully someone can see my error.   
> I have been running RH7.3 with it's standard kernal version 2.4.18-3 for several months configured as a transparent bridging firewall. We recently purchased a new machine and wanted to install RH9 with its standard kernal 2.4.20( i think)I followed the same steps installed with iptables and bridging utils and used my same script file to setup the bridge with two nics and fill in all my rules. This didn't seem to work right and on further testing realized NOTHING was being filtered. I then rebooted and manualy set up the bridge and cleared all the tables and set the default policy to drop. SO at this point nothing should get through. Well it bridges everything, and the counters in iptables do not increment. The system acts as if it is not there what so ever.
> 
> here is the setup after the basic minimal install
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig eth1 0.0.0.0 promisc
> ifconfig eth0 0.0.0.0 promisc
> #bring up bridge with either of the next two commands
> ifconfig br0 up
> ip link set br0 up
> #both do the same thing  namely nothing
> iptables -X
> iptables -F
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> 
> This setup happily bridges packets right on through with no updates to the iptables counters.
> 
> I have been experimenting with devil linux as well recently and it exhibits the same problem. 
> 
> ip_forwarding is set to 0  as it has been on my working rh7.3 machine I tried setting it to 1 but that didn't help the problems. Im not 100% sure what exactl the ip_forwarding property corresponds to anyway.
> 
> any help would be greatly appreciated!
>    Thanks
>          Derek
> 

Re: Iptables not working with RH9

[Scott MacKay]

Very true.  To use iptables, you need a bridge patch,
such as ebtables on sourceforge.net.  It patches the
OS to allow netfilter to hook into bridge for the
rules.  Works fine!  I would suggest getting the
2.4.22 kernel, get the latest off of sourceforge
(under 'ebtables').
You get into the dist dir, do a patch -p1 < PATCHFILE,
use make menuconfig or whatever to activate the
modules and rebuild the kernel.  Works like a charm.


--- Ramin Dousti <ramin@cannon.eng.us.uu.net> wrote:
> I have no experience with bridging code on linux but
> one thing comes to mind
> about your setup. A bridge acts at layer 2.
> Netfilter is hooked into the IP
> layer (layer 3). So when you're bridging, I'd say,
> it's normal that the drop
> policy has no effect... Or I may be wrong...
> 
> Ramin
> 
> On Thu, Nov 20, 2003 at 10:54:41AM -0500, Derek
> Storvik wrote:
> 
> > Hello all
> >   Hopefully someone can see my error.   
> > I have been running RH7.3 with it's standard
> kernal version 2.4.18-3 for several months
> configured as a transparent bridging firewall. We
> recently purchased a new machine and wanted to
> install RH9 with its standard kernal 2.4.20( i
> think)I followed the same steps installed with
> iptables and bridging utils and used my same script
> file to setup the bridge with two nics and fill in
> all my rules. This didn't seem to work right and on
> further testing realized NOTHING was being filtered.
> I then rebooted and manualy set up the bridge and
> cleared all the tables and set the default policy to
> drop. SO at this point nothing should get through.
> Well it bridges everything, and the counters in
> iptables do not increment. The system acts as if it
> is not there what so ever.
> > 
> > here is the setup after the basic minimal install
> > brctl addbr br0
> > brctl addif br0 eth0
> > brctl addif br0 eth1
> > ifconfig eth1 0.0.0.0 promisc
> > ifconfig eth0 0.0.0.0 promisc
> > #bring up bridge with either of the next two
> commands
> > ifconfig br0 up
> > ip link set br0 up
> > #both do the same thing  namely nothing
> > iptables -X
> > iptables -F
> > iptables -P FORWARD DROP
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > 
> > This setup happily bridges packets right on
> through with no updates to the iptables counters.
> > 
> > I have been experimenting with devil linux as well
> recently and it exhibits the same problem. 
> > 
> > ip_forwarding is set to 0  as it has been on my
> working rh7.3 machine I tried setting it to 1 but
> that didn't help the problems. Im not 100% sure what
> exactl the ip_forwarding property corresponds to
> anyway.
> > 
> > any help would be greatly appreciated!
> >    Thanks
> >          Derek
> > 
> 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: Iptables not working with RH9

[Josh Berry]

The bridge-nf code does not come enabled by default with rh7.3.  I don't
think that it comes enabled by default on any kernels.

> I have not custom compiled the kernel. I was first using rh7.3 and it
> works straight out of the box.   I assumed that they would not have taken
> that code back out of the precompiled kernel but i suppose they could have
>
> Derek
>
>>>> Scott MacKay <scottmackay@yahoo.com> 11/20/03 11:17AM >>>
> Did you add on the iptables hook for bridging and
> activate all the proper configuration settings?
> I has a similar problem with 2.4.22 (under RH9)
> because I forgot to  menuconfig and add in the proper
> settings.
>
> --- Derek Storvik <dstorvik@pf.ueo.ohio-state.edu>
> wrote:
>> Hello all
>>   Hopefully someone can see my error.
>> I have been running RH7.3 with it's standard kernal
>> version 2.4.18-3 for several months configured as a
>> transparent bridging firewall. We recently purchased
>> a new machine and wanted to install RH9 with its
>> standard kernal 2.4.20( i think)I followed the same
>> steps installed with iptables and bridging utils and
>> used my same script file to setup the bridge with
>> two nics and fill in all my rules. This didn't seem
>> to work right and on further testing realized
>> NOTHING was being filtered. I then rebooted and
>> manualy set up the bridge and cleared all the tables
>> and set the default policy to drop. SO at this point
>> nothing should get through. Well it bridges
>> everything, and the counters in iptables do not
>> increment. The system acts as if it is not there
>> what so ever.
>>
>> here is the setup after the basic minimal install
>> brctl addbr br0
>> brctl addif br0 eth0
>> brctl addif br0 eth1
>> ifconfig eth1 0.0.0.0 promisc
>> ifconfig eth0 0.0.0.0 promisc
>> #bring up bridge with either of the next two
>> commands
>> ifconfig br0 up
>> ip link set br0 up
>> #both do the same thing  namely nothing
>> iptables -X
>> iptables -F
>> iptables -P FORWARD DROP
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>>
>> This setup happily bridges packets right on through
>> with no updates to the iptables counters.
>>
>> I have been experimenting with devil linux as well
>> recently and it exhibits the same problem.
>>
>> ip_forwarding is set to   as it has been on my
>> working rh7.3 machine I tried setting it to 1 but
>> that didn't help the problems. Im not 100% sure what
>> exactl the ip_forwarding property corresponds to
>> anyway.
>>
>> any help would be greatly appreciated!
>>    Thanks
>>          Derek
>>
>>
>
>
> __________________________________
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> http://companion.yahoo.com/
>
>
>
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry@linknet-solutions.com

Re: Iptables not working with RH9

[Derek Storvik]

That's not true.   RH7.3  does come with the bridge-nf code enabled.
I have not recompiled the kernel and I can set it up and it works. I just reinstalled rh7.3 last thursday to make sure i hadn't "forgotten" that i had recompiled the kernel and sure enough right after a minimal install I manually setup a bridge and it started bridging the connection then i used iptables to filter and block it and that worked as well.
  So it does come with RH7.3  but the fact that you believe it doesn't come on any kernel probably tells me that RH9.0 doesn't have it ( I think mandrake 9.0 comes precompiled with the bridge code as well.)
  Thanks Derek
>>> "Josh Berry" <josh.berry@linknet-solutions.com> 11/20/03 08:47PM >>>
The bridge-nf code does not come enabled by default with rh7.3.  I don't
think that it comes enabled by default on any kernels.

> I have not custom compiled the kernel. I was first using rh7.3 and it
> works straight out of the box.   I assumed that they would not have taken
> that code back out of the precompiled kernel but i suppose they could have
>
> Derek
>
>>>> Scott MacKay <scottmackay@yahoo.com> 11/20/03 11:17AM >>>
> Did you add on the iptables hook for bridging and
> activate all the proper configuration settings?
> I has a similar problem with 2.4.22 (under RH9)
> because I forgot to  menuconfig and add in the proper
> settings.
>
> --- Derek Storvik <dstorvik@pf.ueo.ohio-state.edu>
> wrote:
>> Hello all
>>   Hopefully someone can see my error.
>> I have been running RH7.3 with it's standard kernal
>> version 2.4.18-3 for several months configured as a
>> transparent bridging firewall. We recently purchased
>> a new machine and wanted to install RH9 with its
>> standard kernal 2.4.20( i think)I followed the same
>> steps installed with iptables and bridging utils and
>> used my same script file to setup the bridge with
>> two nics and fill in all my rules. This didn't seem
>> to work right and on further testing realized
>> NOTHING was being filtered. I then rebooted and
>> manualy set up the bridge and cleared all the tables
>> and set the default policy to drop. SO at this point
>> nothing should get through. Well it bridges
>> everything, and the counters in iptables do not
>> increment. The system acts as if it is not there
>> what so ever.
>>
>> here is the setup after the basic minimal install
>> brctl addbr br0
>> brctl addif br0 eth0
>> brctl addif br0 eth1
>> ifconfig eth1 0.0.0.0 promisc
>> ifconfig eth0 0.0.0.0 promisc
>> #bring up bridge with either of the next two
>> commands
>> ifconfig br0 up
>> ip link set br0 up
>> #both do the same thing  namely nothing
>> iptables -X
>> iptables -F
>> iptables -P FORWARD DROP
>> iptables -P INPUT DROP
>> iptables -P OUTPUT DROP
>>
>> This setup happily bridges packets right on through
>> with no updates to the iptables counters.
>>
>> I have been experimenting with devil linux as well
>> recently and it exhibits the same problem.
>>
>> ip_forwarding is set to   as it has been on my
>> working rh7.3 machine I tried setting it to 1 but
>> that didn't help the problems. Im not 100% sure what
>> exactl the ip_forwarding property corresponds to
>> anyway.
>>
>> any help would be greatly appreciated!
>>    Thanks
>>          Derek
>>
>>
>
>
> __________________________________
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> http://companion.yahoo.com/ 
>
>
>
>


Thanks,
Josh Berry, CTO
LinkNet-Solutions
469-831-8543
josh.berry@linknet-solutions.com