From: "Admin on sosi.sk" <admin@sosi.sk>
To: netfilter@lists.netfilter.org
Subject: Netfilter problem..
Date: Wed, 5 Apr 2006 22:54:50 +0200 [thread overview]
Message-ID: <004001c658f3$2e8b34d0$2001a8c0@sosi> (raw)
In-Reply-To: 20060405173107.74543229166@sosi.sk
Hi all,
I have interfaces:
eth0 - WAN
eth1 - LAN
eth2 - free
ath0 - Atheros AP
Then I have made a bridge br0(192.168.1.1) from ath0(0.0.0.0), eth1(0.0.0.0)
because I want wired and wireless metwork in one address range 192.168.1.0 -
192.168.1.255
and I run dhcp server over bridge br0.
Over eth1(wired network) works all fine.
I can not obtain IP address from dhcp over wifi interface ath0 and I get
this message in
tcpdump -vv -i br0
-------------------------------------------------------------------------------
br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth1][br0]
head:c35d23e0, raw:c35d23fe, data:c35d23fe
-------------------------------------------------------------------------------
/var/log/messages
-------------------------------------------------------------------------------
Apr 4 22:38:23 sosiba kernel: IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:e0:4c:67:66:d6:08:00 SRC=195.46.67.248
DST=255.255.255.255 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=40800 PROTO=UDP
SPT=164 DPT=164 LEN=108
Apr 4 22:43:54 sosiba kernel: br_netfilter: Argh!! br_nf_post_routing: bad
mac.raw pointer.[eth1][br0] head:c2af95e0, raw:c2af95fe, data:c2af95fe
Apr 4 22:44:05 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1
MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=540 PROTO=UDP
SPT=68 DPT=67 LEN=308
Apr 4 22:44:05 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from
00:07:0e:b4:50:a5 via br0
Apr 4 22:44:05 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5
via br0
Apr 4 22:44:10 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1
MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=541 PROTO=UDP
SPT=68 DPT=67 LEN=308
Apr 4 22:44:10 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from
00:07:0e:b4:50:a5 via br0
Apr 4 22:44:10 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5
via br0
Apr 4 22:44:19 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1
MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=542 PROTO=UDP
SPT=68 DPT=67 LEN=308
Apr 4 22:44:19 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from
00:07:0e:b4:50:a5 via br0
Apr 4 22:44:19 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5
via br0
-------------------------------------------------------------------------------
my iptables settings
-------------------------------------------------------------------------------
# Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005
*mangle
:PREROUTING ACCEPT [1043684:865001650]
:INPUT ACCEPT [1041756:864643520]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [892707:425469139]
:POSTROUTING ACCEPT [892775:425458561]
COMMIT
# Completed on Fri Mar 18 11:14:11 2005
# Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
-A PREROUTING -s 192.168.0.0/16 -i eth0 -j DROP
-A PREROUTING -s 172.16.0.0/12 -i eth0 -j DROP
-A PREROUTING -s 10.0.0.0/8 -i eth0 -j DROP
COMMIT
# Completed on Fri Mar 18 11:14:11 2005
# Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn_flood - [0:0]
-A INPUT -p udp -m udp -m multiport -j LOG --dports 67,68
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP pakety
-A INPUT -p icmp -m icmp -i eth0 --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type destination-unreachable -j
ACCEPT
-A INPUT -p icmp -m icmp -m limit -i eth0 --icmp-type echo-request --limit
1/s --limit-burst 5 -j ACCEPT
-A INPUT -p icmp -m icmp -i eth0 --icmp-type time-exceeded -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT
-A INPUT -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports
4662,4663,4711
-A INPUT -p udp -m udp -i eth0 --dport 4672 -j ACCEPT
# sshd
-A INPUT -p tcp -m tcp -s 217.75.72.98 -i eth0 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -s 62.152.224.131 -i eth0 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -s 195.46.69.224/29 -i eth0 --dport 22 -j ACCEPT
# Prepustim toto na eth0
-A INPUT -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports
20,21,80,443,901,10000
# Prepustim toto na eth1, eth2
-A INPUT -i br0 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A OUTPUT -p udp -m udp -m multiport -j LOG --dports 67,68
-A OUTPUT -p udp -m udp -m multiport -j LOG --sports 67,68
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.1 -j ACCEPT
-A OUTPUT -s 192.168.2.1 -j ACCEPT
-A OUTPUT -s 195.46.69.228 -j ACCEPT
-A OUTPUT -m limit --limit 3/hour --limit-burst 5 -j LOG
-A FORWARD -m state -i br0 --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A syn_flood -m limit --limit 1/s --limit-burst 5 -j RETURN
-A syn_flood -j DROP
# Prepustim toto na eth1
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp -m multiport -j LOG --dports 67,68
-A INPUT -p tcp -i eth0 -j syn_flood --syn
# log DoS
-A INPUT -m limit --limit 3/hour --limit-burst 5 -j LOG
# Vsetko ostatne zabi!
-A INPUT -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -m udp -m multiport -j LOG --dports 67,68
-A FORWARD -p udp -m udp -m multiport -j LOG --sports 67,68
COMMIT
# Completed on Fri Mar 18 11:14:11 2005
-------------------------------------------------------------------------------
I am runing kernel-2.6.12-17mdk.
Please what could be wrong?
Robert.
next parent reply other threads:[~2006-04-05 20:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20060405173107.74543229166@sosi.sk>
2006-04-05 20:54 ` Admin on sosi.sk [this message]
2006-09-18 12:16 netfilter problem saravanan chanemouganandam
2006-09-19 4:47 ` Yasuyuki KOZAKAI
-- strict thread matches above, loose matches on Subject: below --
2010-05-14 7:02 senthilkumaar2021
2010-05-14 10:59 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='004001c658f3$2e8b34d0$2001a8c0@sosi' \
--to=admin@sosi.sk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).