PDA

Bekijk de volledige versie : Iptables and brctl (bridge)



bramfm
30-12-2003, 16:39
After playing around with the patched firmware I have the following nasty question to you Linux Gurus:
I installed an extra ethernet interface via the USB port. As you might know the WL500g has one WAN ethernet interface (eth1), one local ethernet interface (eth0) and one wireless interface (eth2). Eth2 and eth0 are both connected to the bridge (br0) which is connected to eth1 (via iptables). Now I add this new interface (eth3) to the bridge (brctl addif br0 eth3) without errors. However I only am able to browse the internal webpage but no external webpages. According to "snort", which sould be nice to have in a patched firmware version, hint hint :cool: , my source route failes, what the hell is going on?

Oleg
31-12-2003, 20:12
Have you tried using the interface with no bridging? As for iptables - you can examine it using iptables -L -v and iptables -t nat -L -v

Oleg.

Oleg
31-12-2003, 20:14
One more reason, why you can't browse outside - there is no default route.

bramfm
01-01-2004, 12:02
Originally posted by Oleg
Have you tried using the interface with no bridging? As for iptables - you can examine it using iptables -L -v and iptables -t nat -L -v

Oleg.
IMHO the iptables only run (router mode , no DMZ) between br0 and eth1. Once you have attached a device to the bridge, the bridge should take care. It seems however the bridge does not have any knowledge of this source (eth3), although I have added it to the bridge. According to the error message it is an icmp error, so are there any ebtables in the wl500g?.
To answer your question about "without the bridge". Yes I tried that also, no success either. And finally I have add/changed/whatever default routing/gateway etc, but no luck.

Oleg
01-01-2004, 14:56
No, ebtables are not used. My suggestion - use tcpdump to figure out the problem. Also, what is the real device for the eth3 and does it support bridging?

bramfm
02-01-2004, 19:22
Originally posted by Oleg
No, ebtables are not used. My suggestion - use tcpdump to figure out the problem. Also, what is the real device for the eth3 and does it support bridging?
The device is connected to the bridge, since I am able to browse the internal WL500g webserver. Like eth2 it does not get an IP address. Eth3 is a USB ethernet device.
BTW I tried to compile tcpdump, but it was not successfull (I can't remember what the showstopper was), therefore I am using snort instead to see what is going on. I can't give you a dump right now, simply because I don't have my linux PC at hand.

Oleg
05-01-2004, 11:21
Use --without-crypto (or similar) while configuring tcpdump. I've successfully compiled it.

bramfm
05-01-2004, 16:53
Originally posted by Oleg
Use --without-crypto (or similar) while configuring tcpdump. I've successfully compiled it.
Here is a dump from snort:
01/01-07:41:09.241878 192.168.1.1 -> 192.168.1.3
PROTO001 TTL:64 TOS:0xC0 ID:22661 IpLen:20 DgmLen:88
Type:3 Code:5 DESTINATION UNREACHABLE: SOURCE ROUTE FAILED
** ORIGINAL DATAGRAM DUMP:
192.168.1.3:32925 -> 129.42.19.99:80
PROTO006 TTL:64 TOS:0x0 ID:2832 IpLen:20 DgmLen:60 DF
******S* Seq: 0x91221E60 Ack: 0x0 Win: 0x16D0 TcpLen: 40
** END OF DUMP

The error I get while compiling tcpdump is that it can't find strlcat.c

Oleg
06-01-2004, 16:44
Strange... Seems your original packet has source route (which is something unusual) and it fails. Who is generating this packets?

bramfm
07-01-2004, 16:43
Originally posted by Oleg
Strange... Seems your original packet has source route (which is something unusual) and it fails. Who is generating this packets?

Just a linux pc connected to this interface.

bramfm
12-01-2004, 15:31
Originally posted by bramfm
Just a linux pc connected to this interface.

Here a tcpdump:

tcpdump: WARNING: eth3: no IPv4 address assigned
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 68 bytes
00:16:17.957614 IP (tos 0x0, ttl 64, id 38067, offset 0, flags [DF], length: 58
) 192.168.1.3.32777 > 192.168.1.1.53: 52226+[|domain]
00:16:17.989695 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], length: 122) 1
92.168.1.1.53 > 192.168.1.3.32777: 52226 q:[|domain]
00:16:18.032531 IP (tos 0x0, ttl 64, id 21531, offset 0, flags [DF], length: 60
) 192.168.1.3.32968 > 217.67.235.13.80: S 1037090976:1037090976(0) win 5840 <mss
1460,sackOK,timestamp 2397371[|tcp]>
00:16:18.033269 IP (tos 0xc0, ttl 64, id 60669, offset 0, flags [none], length:
88) 192.168.1.1 > 192.168.1.3: icmp 68: 217.67.235.13 unreachable - source rout
e failed for IP (tos 0x0, ttl 64, id 21531, offset 0, flags [DF], length: 60) 1
92.168.1.3.32968 > 217.67.235.13.80: [|tcp]
00:16:22.942235 arp who-has 192.168.1.1 tell 192.168.1.3
00:16:22.942483 arp reply 192.168.1.1 is-at 00:0c:6e:c1:9a:46

as you can see it is generating the same error.

oscarc
17-01-2004, 02:03
Hi,

Any chance you could mail me or post the binaries you used for snort and tcpdump? Would love to get those running on my WL500g.

Thanks

Oscar
oscar@craane.com

bramfm
17-01-2004, 14:38
Originally posted by oscarc
Hi,

Any chance you could mail me or post the binaries you used for snort and tcpdump? Would love to get those running on my WL500g.

Thanks

Oscar
oscar@craane.com

No problem:
you can download a precompiled version of snort from this page: http://www.batbox.org/snort.gz

And a compiled version of tcpdump here:

http://members.chello.nl/~m.kuystermans/tcpdump.zip

Extract in an excisting directory (e.g. tcpdump ;). You will get the following tree:

tcpdump
├───include
│ pcap-bpf.h
│ pcap-namedb.h
│ pcap.h

├───lib
│ libpcap.a

├───man
│ ├───man1
│ │ tcpdump.1
│ │
│ └───man3
│ pcap.3

└───sbin
tcpdump

You (probably) only need the tcpdump binary. I compiled it statically (??, not shure anymore, can't check, do not have the PC here. I can't find any other reference to libpcap.a, so it must be compiled statically since it runs standalone without complaining)

pipos
20-10-2004, 19:25
Hi

please could somebody tell mi if it is possible to control packets in FORWARC chain while you are using AP mode.

Now no packets goes thru FORWARD, all interfaces are in bridge br0.
I read something, that it is possible when you install some patch to kernel.

Is this patch included in olegs firmware? How to enable it.
Thanks

(fw 1.7.5.9-5, wl-500g)

Oleg
20-10-2004, 19:32
Is this patch included in olegs firmware? How to enable it.

No.
You need to use ebtables as seems. But you will not be able to do sophisticated filtering.

jacsa
11-07-2005, 22:50
Hi all,

I assembled a simple test environment: 1xWL500G in AP mode and 2xWL300G in Ethernet Bridge mode, latest Oleg's firmware. I set "Set AP Isolated" to Yes through WL500G-s web interface.

It seems it doesn't work, because I can ping a notebook connected to one WL300G from an other notebook, connected to the other WL300G.

Any idea?

Janos

Oleg
12-07-2005, 10:09
It works, but this feature is useless with current firmware, as it does not perform any filtering.

jacsa
12-07-2005, 23:24
Aha.
But I (as a little ISP) think that it would be very useful separating subscribers at MAC level, preventing the direct communication between "tricky" users, and stopping the spreading of the broadcasts on the wireless network.

Is there any other method to achieve this?

Or, what if I program the necessary code? I can program in C, but I have only a little knowledge in low level protocol and hardware programming.


It works, but this feature is useless with current firmware, as it does not perform any filtering.

Oleg
13-07-2005, 10:35
Yes, use OpenWRT and ebtables.