[Bridge] Bridge and iptables: extreme noise on log

Eilmsteiner Reinhard Fri, 11 Jan 2002 04:02:32 -0800

Hello all!

I just installed a linux bridge using iptables as a packet filter (firewall)
with the following setup:
SuSE 7.3 (Kernel version 2.4.9)
applied kernel patch "bridge-nf-0.0.5-against-2.4.17.diff"


My bridge startup script:
#! /bin/sh

. /etc/rc.status
. /etc/rc.config

# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}

# Force execution if not called by a runlevel directory.
test $link = $base && START_BRIDGE=yes
test "$START_BRIDGE" = yes || exit 0

# First reset status of this service
PATH=$PATH:/usr/local/sbin
rc_reset
return="$rc_done"
case "$1" in
    start)
        echo -n "Starting bridge br0..."
        brctl addbr br0 || return="$rc_failed"
        brctl setbridgeprio br0 0 || return="$rc_failed"
        brctl addif br0 eth0 || return="$rc_failed"
        brctl addif br0 eth1 || return="$rc_failed"
        brctl sethello br0 1 || return="$rc_failed"
        brctl setmaxage br0 4 || return="$rc_failed"
        brctl setfd br0 4 || return="$rc_failed"
        brctl stp br0 off || return="$rc_failed"
        echo -e "$return"
        test "$ACTIVATE_BRIDGE" = "yes" && $0 activate
        ;;
    activate)
        echo -n "Activating bridge br0..."
        ifconfig br0 up || return="$rc_failed"
        echo -e "$return"
        ;;
    deactivate)
        echo -n "Deactivating bridge br0..."
        ifconfig br0 down || return="$rc_failed"
        echo -e "$return"
        ;;
    stop)
        echo -n "Stopping bridge br0..."
        ifconfig br0 down
        brctl delbr br0 || return="$rc_failed"
        echo -e "$return"
        ;;
    *)
        echo "Usage: $0 {start|activate|deactivate|stop}"
        exit 1
        ;;
esac
rc_exit

and my firewall script:

#!/bin/sh

. /etc/rc.status
. /etc/rc.config

base=${0##*/}
link=${base#*[SK][0-9][0-9]}

test $link = $base && START_FW=yes
test $START_FW = yes || exit 0

test ! -z "$1" && echo "$1ing Firewall..."
return="$rc_done"

IFIN=eth0
IFOUT=eth1
PSCNET=192.168.0.0/16
ROUTER=192.168.1.125/32
SAPNET=10.50.10.0/24
BCSDATA=192.168.1.65/32
LOCALIP=192.168.1.125/32

/etc/rc.d/bridge deactivate || return="$rc_failed"
ifconfig $IFOUT down || return="$rc_failed"

iptables -P INPUT DROP || return="$rc_failed"
iptables -P OUTPUT DROP || return="$rc_failed"
iptables -P FORWARD DROP || return="$rc_failed"

iptables -F INPUT || return="$rc_failed"
iptables -F OUTPUT || return ="$rc_failed"
iptables -F FORWARD || return="$rc_failed"

case "$1" in
  stop)
    echo -n "Stopping firewall"
    echo -e "$return"
    test $return = $rc_done || exit 0
    exit 1
  ;;
esac

#PINGING outbound
iptables -A FORWARD -i $IFIN -s $PSCNET -o $IFOUT -d $ROUTER -p icmp
--icmp-type echo-request -j ACCEPT || return="$rc_failed"
iptables -A FORWARD -i $IFOUT -s $ROUTER -o $IFIN -d $PSCNET -p icmp
--icmp-type echo-reply -j ACCEPT || return="$rc_failed"

#SAP outbound
iptables -A FORWARD -i $IFIN -s $PSCNET -o $IFOUT -d $SAPNET -p tcp
--source-port 1024: --destination-port 3299 -j ACCEPT || return="$rc_failed"
iptables -A FORWARD -i $IFOUT -s $SAPNET -o $IFIN -d $PSCNET -p tcp ! --syn
--source-port 3299 --destination-port 1024: -j ACCEPT || return="$rc_failed"

#SSH BCSData
iptables -A FORWARD -i $IFOUT -s $SAPNET -o $IFIN -d $BCSDATA -p tcp
--source-port 1024: --destination-port 22 -j ACCEPT || return="$rc_failed"
iptables -A FORWARD -i $IFIN -s $BCSDATA -o $IFOUT -d $SAPNET -p tcp ! --syn
--source-port 22 --destination-port 1024: -j ACCEPT || return="$rc_failed"

#Bridging starts
ifconfig $IFOUT up || return="$rc_failed"
/etc/rc.d/bridge activate || return="$rc_failed"

echo -n "Starting Firewall"
echo -e "$return"
test $return = $rc_done || exit 1
exit 0

The result is a working "fire-bridge" but I get about 100MB Log-Output on
/var/log/messages _and_ /var/log/warn a _DAY_. The entries look like this:
Jan 11 13:25:45 sapfw kernel: nf_hook: hook 4 already set.
Jan 11 13:25:45 sapfw kernel: skb: pf=7 (unowned) dev=eth1 len=40
Jan 11 13:25:46 sapfw kernel: nf_hook: hook 0 already set.
Jan 11 13:25:46 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=40
Jan 11 13:25:46 sapfw kernel: PROTO=6 192.168.2.4:1491 10.50.10.1:3299 L=40
S=0x00 I=32757 F=0x4000 T=126
Jan 11 13:25:46 sapfw kernel: nf_hook: hook 2 already set.
Jan 11 13:25:46 sapfw kernel: skb: pf=2 (unowned) dev=eth1 len=40
Jan 11 13:25:46 sapfw kernel: PROTO=6 192.168.2.4:1491 10.50.10.1:3299 L=40
S=0x00 I=32757 F=0x4000 T=126
Jan 11 13:25:46 sapfw kernel: nf_hook: hook 4 already set.
Jan 11 13:25:46 sapfw kernel: skb: pf=7 (unowned) dev=eth1 len=40
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 0 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55512 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 2 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=eth1 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55512 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 0 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55512 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 1 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55512 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 0 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55513 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 2 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=eth1 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55513 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 0 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55513 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 1 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=76
Jan 11 13:25:52 sapfw kernel: PROTO=17 192.168.1.124:123 255.255.255.255:123
L=76 S=0x00 I=55513 F=0x0000 T=254
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 0 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=br0 len=122
Jan 11 13:25:52 sapfw kernel: PROTO=6 192.168.2.4:1491 10.50.10.1:3299 L=122
S=0x00 I=51701 F=0x4000 T=126
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 2 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=2 (unowned) dev=eth1 len=122
Jan 11 13:25:52 sapfw kernel: PROTO=6 192.168.2.4:1491 10.50.10.1:3299 L=122
S=0x00 I=51701 F=0x4000 T=126
Jan 11 13:25:52 sapfw kernel: nf_hook: hook 4 already set.
Jan 11 13:25:52 sapfw kernel: skb: pf=7 (unowned) dev=eth1 len=122

What is so ugly, that the kernel complains this loudly???

Any ideas?

Thanx in advance.
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge

[Bridge] Bridge and iptables: extreme noise on log

Reply via email to