[Bridge] Bridge + NFSROOT + Iptables problems (Repost Plaintext)

Chris Shaw chriss at watertech.com
Fri Aug 8 11:10:10 PDT 2003 

I hate Outlook... anyway...

First off, all of the interfaces are bridged.. on both machines... I'm not sure how to keep the illustration
from getting munged, but here's try number two...

Machine 1 is my main server machine which has 5 interfaces (eth0, eth1, eth2, eth3, wlan0 respectively)
which are all bridged to interface br0 which has a management address of 10.100.5.99.

Machine 2 is the NFSROOT/DISKLESS machine. It has 3 interfaces (eth0, eth1 and wlan0 respectively)
which are also all bridged to an interface br0 which has a management address of 10.100.5.10.

Machine 1 is the firewall box, the cable connection to the internet comes in via eth0 and is bridged
to the rest of the machines on the LAN. (illustrated below)
                                   
(Illustration for Machine 1)

                                         / eth1 ----> (Workstation)
Cable --> eth0 - (Machine 1) - eth2 -----> (Workstation)
                              |          \ eth3 -----> (Machine 2)
                           wlan0


(Illustration for Machine 2)

                               eth1 ----> (Workstation)
                             /
Machine 1 ---> eth0 
                             \ 
                              wlan0 

Here's my iptables file (Ad Nauseum)

# Generated by iptables-save v1.2.7a on Thu Aug  7 18:29:28 2003
*nat
:PREROUTING ACCEPT [30237:2441593]
:POSTROUTING ACCEPT [14492:1445422]
:OUTPUT ACCEPT [1731:469022]
COMMIT
# Completed on Thu Aug  7 18:29:28 2003
# Generated by iptables-save v1.2.7a on Thu Aug  7 18:29:28 2003
*filter
:INPUT ACCEPT [4112:1178544]
:FORWARD DROP [18226:1508151]
:OUTPUT ACCEPT [186936:35017593]
:AOSPORTS - [0:0]
:DIABLO2 - [0:0]
:DIABLO2-IN - [0:0]
:DIRECTX7 - [0:0]
:DIRECTX7-IN - [0:0]
:DIRECTX8 - [0:0]
:DIRECTX8-IN - [0:0]
:STARCRAFT - [0:0]
:STARCRAFT-IN - [0:0]
:SWGPORTS - [0:0]
:TCP-COMMON - [0:0]
:UDP-COMMON - [0:0]
:WARCRAFT3 - [0:0]
:WARCRAFT3-IN - [0:0]
:forward-out - [0:0]
:icmp_forward - [0:0]
::other_packets - [0:0]
:tcp_forward - [0:0]
:udp_forward - [0:0]
-A FORWARD -j forward-ok 
-A FORWARD -p tcp -j tcp_forward 
-A FORWARD -p udp -j udp_forward 
-A FORWARD -p icmp -j icmp_forward 
-A FORWARD -j forward-out 
-A DIABLO2 -o eth0 -p tcp -m tcp --dport 6112 -j ACCEPT 
-A DIABLO2 -o eth0 -p tcp -m tcp --dport 4000 -j ACCEPT 
-A DIABLO2-IN -i eth0 -p tcp -m tcp --dport 4000 -j ACCEPT 
-A DIRECTX7 -o eth0 -p tcp -m tcp --dport 47264 -j ACCEPT 
-A DIRECTX7 -o eth0 -p tcp -m tcp --dport 2300:2400 -j ACCEPT 
-A DIRECTX7 -o eth0 -p udp -m udp --dport 2300:2400 -j ACCEPT 
-A DIRECTX7-IN -i eth0 -p tcp -m tcp --dport 47264 -j ACCEPT 
-A DIRECTX7-IN -i eth0 -p tcp -m tcp --dport 2300:2400 -j ACCEPT 
-A DIRECTX7-IN -i eth0 -p udp -m udp --dport 2300:2400 -j ACCEPT 
-A DIRECTX8 -o eth0 -p udp -m udp --dport 6073 -j ACCEPT 
-A DIRECTX8 -o eth0 -p udp -m udp --dport 2302:2400 -j ACCEPT 
-A DIRECTX8-IN -i eth0 -p udp -m udp --dport 6073 -j ACCEPT 
-A DIRECTX8-IN -i eth0 -p udp -m udp --dport 2302:2400 -j ACCEPT 
-A STARCRAFT -o eth0 -p tcp -m tcp --dport 6112 -j ACCEPT 
-A STARCRAFT -o eth0 -p udp -m udp --dport 6112 -j ACCEPT 
-A STARCRAFT-IN -i eth0 -p udp -m udp --dport 6112 -j ACCEPT 
-A SWGPORTS -o eth0 -p tcp -m tcp --dport 7000 -j ACCEPT 
-A SWGPORTS -o eth0 -p udp -m udp --dport 3016:3021 -j ACCEPT 
-A SWGPORTS -o eth0 -p udp -m udp --dport 9700:9703 -j ACCEPT 
-A SWGPORTS -o eth0 -p tcp -m tcp --dport 7070 -j ACCEPT 
-A SWGPORTS -o eth0 -p udp -m udp --dport 44453:44463 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 8080 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 20 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 21 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 23 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 25 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 110 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 119 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 123 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 1863 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 5190 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 554 -j ACCEPT 
-A TCP-COMMON -o eth0 -p tcp -m tcp --dport 9040 -j ACCEPT 
-A UDP-COMMON -o eth0 -p udp -m udp --dport 53 -j ACCEPT 
-A UDP-COMMON -o eth0 -p udp -m udp --dport 123 -j ACCEPT 
-A UDP-COMMON -o eth0 -p udp -m udp --dport 554 -j ACCEPT 
-A UDP-COMMON -o eth0 -p udp -m udp --dport 7070:7073 -j ACCEPT 
-A UDP-COMMON -o eth0 -p udp -m udp --dport 68 -j ACCEPT 
-A UDP-COMMON -o eth0 -p udp -m udp --dport 67 -j ACCEPT 
-A WARCRAFT3 -o eth0 -p tcp -m tcp --dport 6112 -j ACCEPT 
-A WARCRAFT3 -o eth0 -p tcp -m tcp --dport 6113:6119 -j ACCEPT 
-A WARCRAFT3-IN -i eth0 -p tcp -m tcp --dport 6112 -j ACCEPT 
-A WARCRAFT3-IN -i eth0 -p tcp -m tcp --dport 6113:6119 -j ACCEPT 
-A forward-out -o eth0 -p tcp -j TCP-COMMON 
-A forward-out -o eth0 -p udp -j UDP-COMMON 
-A forward-out -o eth0 -p icmp -j ACCEPT 
-A forward-out -o eth0 -j STARCRAFT 
-A forward-out -o eth0 -j WARCRAFT3 
-A forward-out -o eth0 -j DIABLO2 
-A forward-out -o eth0 -j DIRECTX7 
-A forward-out -o eth0 -j DIRECTX8 
-A forward-out -o eth0 -j SWGPORTS 
-A forward-out -o eth0 -j AOSPORTS 
-A icmp_forward -i eth0 -p icmp -m icmp ! --icmp-type 8 -j ACCEPT 
-A tcp_forward -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A tcp_forward -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT 
-A tcp_forward -i eth0 -p tcp -m tcp --dport 20 -j ACCEPT 
-A tcp_forward -i eth0 -p tcp -j DIABLO2-IN 
-A tcp_forward -i eth0 -p tcp -j WARCRAFT3-IN 
-A tcp_forward -i eth0 -p tcp -j DIRECTX7-IN 
-A udp_forward -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A udp_forward -i eth0 -p udp -m udp --dport 68 -j ACCEPT 
-A udp_forward -i eth0 -p udp -m udp --dport 67 -j ACCEPT 
-A udp_forward -i eth0 -p udp -m udp --sport 53 -j ACCEPT 
-A udp_forward -i eth0 -p udp -j STARCRAFT-IN 
-A udp_forward -i eth0 -p udp -j DIRECTX7-IN 
-A udp_forward -i eth0 -p udp -j DIRECTX8-IN 
COMMIT
# Completed on Thu Aug  7 18:29:28 2003

Again... It might be my rules, however even when I make the policy for the FORWARD chain ACCEPT, it still hangs until I unload the ip_conntrack module.

    -Chris

Chris Shaw
IS Manager
Water Tech Industries
Phone: (888)-254-8412
Fax: (503)-261-9118
E-Mail: chriss at watertech.com

More information about the Bridge mailing list