Iptables and brctl (bridge)

[bramfm]

After playing around with the patched firmware I have the following nasty question to you Linux Gurus:
I installed an extra ethernet interface via the USB port. As you might know the WL500g has one WAN ethernet interface (eth1), one local ethernet interface (eth0) and one wireless interface (eth2). Eth2 and eth0 are both connected to the bridge (br0) which is connected to eth1 (via iptables). Now I add this new interface (eth3) to the bridge (brctl addif br0 eth3) without errors. However I only am able to browse the internal webpage but no external webpages. According to "snort", which sould be nice to have in a patched firmware version, hint hint , my source route failes, what the hell is going on?

[Oleg]

Have you tried using the interface with no bridging? As for iptables - you can examine it using iptables -L -v and iptables -t nat -L -v

Oleg.

[Oleg]

One more reason, why you can't browse outside - there is no default route.

[bramfm]

Originally posted by Oleg
Have you tried using the interface with no bridging? As for iptables - you can examine it using iptables -L -v and iptables -t nat -L -v

Oleg.

IMHO the iptables only run (router mode , no DMZ) between br0 and eth1. Once you have attached a device to the bridge, the bridge should take care. It seems however the bridge does not have any knowledge of this source (eth3), although I have added it to the bridge. According to the error message it is an icmp error, so are there any ebtables in the wl500g?.
To answer your question about "without the bridge". Yes I tried that also, no success either. And finally I have add/changed/whatever default routing/gateway etc, but no luck.

[Oleg]

No, ebtables are not used. My suggestion - use tcpdump to figure out the problem. Also, what is the real device for the eth3 and does it support bridging?

[bramfm]

Originally posted by Oleg
No, ebtables are not used. My suggestion - use tcpdump to figure out the problem. Also, what is the real device for the eth3 and does it support bridging?

The device is connected to the bridge, since I am able to browse the internal WL500g webserver. Like eth2 it does not get an IP address. Eth3 is a USB ethernet device.
BTW I tried to compile tcpdump, but it was not successfull (I can't remember what the showstopper was), therefore I am using snort instead to see what is going on. I can't give you a dump right now, simply because I don't have my linux PC at hand.

[Oleg]

Use --without-crypto (or similar) while configuring tcpdump. I've successfully compiled it.

[bramfm]

Originally posted by Oleg
Use --without-crypto (or similar) while configuring tcpdump. I've successfully compiled it.

Here is a dump from snort:
01/01-07:41:09.241878 192.168.1.1 -> 192.168.1.3
PROTO001 TTL:64 TOS:0xC0 ID:22661 IpLen:20 DgmLen:88
Type:3 Code:5 DESTINATION UNREACHABLE: SOURCE ROUTE FAILED
** ORIGINAL DATAGRAM DUMP:
192.168.1.3:32925 -> 129.42.19.99:80
PROTO006 TTL:64 TOS:0x0 ID:2832 IpLen:20 DgmLen:60 DF
******S* Seq: 0x91221E60 Ack: 0x0 Win: 0x16D0 TcpLen: 40
** END OF DUMP

The error I get while compiling tcpdump is that it can't find strlcat.c

[Oleg]

Strange... Seems your original packet has source route (which is something unusual) and it fails. Who is generating this packets?

[bramfm]

Originally posted by Oleg
Strange... Seems your original packet has source route (which is something unusual) and it fails. Who is generating this packets?

Just a linux pc connected to this interface.

[bramfm]

Originally posted by bramfm
Just a linux pc connected to this interface.

Here a tcpdump:

tcpdump: WARNING: eth3: no IPv4 address assigned
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 68 bytes
00:16:17.957614 IP (tos 0x0, ttl 64, id 38067, offset 0, flags [DF], length: 58
) 192.168.1.3.32777 > 192.168.1.1.53: 52226+[|domain]
00:16:17.989695 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 122) 1
92.168.1.1.53 > 192.168.1.3.32777: 52226 q:[|domain]
00:16:18.032531 IP (tos 0x0, ttl 64, id 21531, offset 0, flags [DF], length: 60
) 192.168.1.3.32968 > 217.67.235.13.80: S 1037090976:1037090976(0) win 5840 <mss
1460,sackOK,timestamp 2397371[|tcp]>
00:16:18.033269 IP (tos 0xc0, ttl 64, id 60669, offset 0, flags [none], length:
88) 192.168.1.1 > 192.168.1.3: icmp 68: 217.67.235.13 unreachable - source rout
e failed for IP (tos 0x0, ttl 64, id 21531, offset 0, flags [DF], length: 60) 1
92.168.1.3.32968 > 217.67.235.13.80: [|tcp]
00:16:22.942235 arp who-has 192.168.1.1 tell 192.168.1.3
00:16:22.942483 arp reply 192.168.1.1 is-at 00:0c:6e:c1:9a:46

as you can see it is generating the same error.

[oscarc]

Hi,

Any chance you could mail me or post the binaries you used for snort and tcpdump? Would love to get those running on my WL500g.

Thanks

Oscar
oscar@craane.com

[bramfm]

Originally posted by oscarc
Hi,

Any chance you could mail me or post the binaries you used for snort and tcpdump? Would love to get those running on my WL500g.

Thanks

Oscar
oscar@craane.com

No problem:
you can download a precompiled version of snort from this page: http://www.batbox.org/snort.gz

And a compiled version of tcpdump here:

http://members.chello.nl/~m.kuystermans/tcpdump.zip

Extract in an excisting directory (e.g. tcpdump . You will get the following tree:

tcpdump
├───include
│ pcap-bpf.h
│ pcap-namedb.h
│ pcap.h
│
├───lib
│ libpcap.a
│
├───man
│ ├───man1
│ │ tcpdump.1
│ │
│ └───man3
│ pcap.3
│
└───sbin
tcpdump

You (probably) only need the tcpdump binary. I compiled it statically (??, not shure anymore, can't check, do not have the PC here. I can't find any other reference to libpcap.a, so it must be compiled statically since it runs standalone without complaining)

[pipos]

Hi

please could somebody tell mi if it is possible to control packets in FORWARC chain while you are using AP mode.

Now no packets goes thru FORWARD, all interfaces are in bridge br0.
I read something, that it is possible when you install some patch to kernel.

Is this patch included in olegs firmware? How to enable it.
Thanks

(fw 1.7.5.9-5, wl-500g)

[Oleg]

Is this patch included in olegs firmware? How to enable it.

No.
You need to use ebtables as seems. But you will not be able to do sophisticated filtering.