From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Admin on sosi.sk" Subject: Netfilter problem.. Date: Wed, 5 Apr 2006 22:54:50 +0200 Message-ID: <004001c658f3$2e8b34d0$2001a8c0@sosi> References: <20060405173107.74543229166@sosi.sk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; format="flowed"; charset="us-ascii"; reply-type="original" To: netfilter@lists.netfilter.org Hi all, I have interfaces: eth0 - WAN eth1 - LAN eth2 - free ath0 - Atheros AP Then I have made a bridge br0(192.168.1.1) from ath0(0.0.0.0), eth1(0.0.0.0) because I want wired and wireless metwork in one address range 192.168.1.0 - 192.168.1.255 and I run dhcp server over bridge br0. Over eth1(wired network) works all fine. I can not obtain IP address from dhcp over wifi interface ath0 and I get this message in tcpdump -vv -i br0 ------------------------------------------------------------------------------- br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth1][br0] head:c35d23e0, raw:c35d23fe, data:c35d23fe ------------------------------------------------------------------------------- /var/log/messages ------------------------------------------------------------------------------- Apr 4 22:38:23 sosiba kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:4c:67:66:d6:08:00 SRC=195.46.67.248 DST=255.255.255.255 LEN=128 TOS=0x00 PREC=0x00 TTL=128 ID=40800 PROTO=UDP SPT=164 DPT=164 LEN=108 Apr 4 22:43:54 sosiba kernel: br_netfilter: Argh!! br_nf_post_routing: bad mac.raw pointer.[eth1][br0] head:c2af95e0, raw:c2af95fe, data:c2af95fe Apr 4 22:44:05 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=540 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 4 22:44:05 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:05 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:10 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=541 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 4 22:44:10 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:10 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:19 sosiba kernel: IN=br0 OUT= PHYSIN=ath0 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:00:07:0e:b4:50:a5:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=542 PROTO=UDP SPT=68 DPT=67 LEN=308 Apr 4 22:44:19 sosiba dhcpd: DHCPREQUEST for 192.168.1.33 from 00:07:0e:b4:50:a5 via br0 Apr 4 22:44:19 sosiba dhcpd: DHCPACK on 192.168.1.33 to 00:07:0e:b4:50:a5 via br0 ------------------------------------------------------------------------------- my iptables settings ------------------------------------------------------------------------------- # Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005 *mangle :PREROUTING ACCEPT [1043684:865001650] :INPUT ACCEPT [1041756:864643520] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [892707:425469139] :POSTROUTING ACCEPT [892775:425458561] COMMIT # Completed on Fri Mar 18 11:14:11 2005 # Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005 *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE -A PREROUTING -s 192.168.0.0/16 -i eth0 -j DROP -A PREROUTING -s 172.16.0.0/12 -i eth0 -j DROP -A PREROUTING -s 10.0.0.0/8 -i eth0 -j DROP COMMIT # Completed on Fri Mar 18 11:14:11 2005 # Generated by iptables-save v1.2.9 on Fri Mar 18 11:14:11 2005 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :syn_flood - [0:0] -A INPUT -p udp -m udp -m multiport -j LOG --dports 67,68 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ICMP pakety -A INPUT -p icmp -m icmp -i eth0 --icmp-type echo-reply -j ACCEPT -A INPUT -p icmp -m icmp -i eth0 --icmp-type destination-unreachable -j ACCEPT -A INPUT -p icmp -m icmp -m limit -i eth0 --icmp-type echo-request --limit 1/s --limit-burst 5 -j ACCEPT -A INPUT -p icmp -m icmp -i eth0 --icmp-type time-exceeded -j ACCEPT -A INPUT -p tcp -m tcp -i eth0 --dport 113 -j REJECT -A INPUT -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports 4662,4663,4711 -A INPUT -p udp -m udp -i eth0 --dport 4672 -j ACCEPT # sshd -A INPUT -p tcp -m tcp -s 217.75.72.98 -i eth0 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp -s 62.152.224.131 -i eth0 --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp -s 195.46.69.224/29 -i eth0 --dport 22 -j ACCEPT # Prepustim toto na eth0 -A INPUT -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports 20,21,80,443,901,10000 # Prepustim toto na eth1, eth2 -A INPUT -i br0 -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A OUTPUT -p udp -m udp -m multiport -j LOG --dports 67,68 -A OUTPUT -p udp -m udp -m multiport -j LOG --sports 67,68 -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.1.1 -j ACCEPT -A OUTPUT -s 192.168.2.1 -j ACCEPT -A OUTPUT -s 195.46.69.228 -j ACCEPT -A OUTPUT -m limit --limit 3/hour --limit-burst 5 -j LOG -A FORWARD -m state -i br0 --state NEW,ESTABLISHED,RELATED -j ACCEPT -A syn_flood -m limit --limit 1/s --limit-burst 5 -j RETURN -A syn_flood -j DROP # Prepustim toto na eth1 -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m udp -m multiport -j LOG --dports 67,68 -A INPUT -p tcp -i eth0 -j syn_flood --syn # log DoS -A INPUT -m limit --limit 3/hour --limit-burst 5 -j LOG # Vsetko ostatne zabi! -A INPUT -j DROP -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p udp -m udp -m multiport -j LOG --dports 67,68 -A FORWARD -p udp -m udp -m multiport -j LOG --sports 67,68 COMMIT # Completed on Fri Mar 18 11:14:11 2005 ------------------------------------------------------------------------------- I am runing kernel-2.6.12-17mdk. Please what could be wrong? Robert.