I'm pretty sure that the firewall FORWARD'ing rules are incorrect. Near top, the rule 4 allows any connection, given that don't exceed the 1/connection per seccond rate:
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 14 672 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
5 0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
6 0 0 ACCEPT icmp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
7 0 0 ACCEPT udp -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 udp dpts:25500:25599
8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.1.21 tcp dpts:25600:25699
9 0 0 DROP all -- vlan1 br0 0.0.0.0/0 0.0.0.0/0
Following that rule, there are other rules that allows the forwarding for the "virtual hosts" feature, but they are almost useless that the previous rule allows that traffic.
I suppose that the original intention of the programmers was to limit the number of connections allowed, but not to explicitly allow them.
I think that the best way to solve this bug is to create a new chain called when the limit isn't reached, and put the "virtual hosts" rules in this new chain:
Code:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 14 672 VHOSTS tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
5 0 0 VHOSTS tcp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5
6 0 0 ACCEPT icmp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 icmp type 8
7 0 0 ACCEPT udp -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 udp dpts:25500:25599
8 0 0 DROP all -- vlan1 br0 0.0.0.0/0 0.0.0.0/0
Chain VHOSTS (2 references)
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.2.1.21 tcp dpts:25600:25699
Do you see any flaw?