Re: [Bridge] iptables

alex Mon, 15 Apr 2002 02:11:10 -0700

Attached is the complete listing. I hope that I don't upset anybody because it's preety long

----- Original Message -----

From: Chris Ellsworth

To: alex ; [EMAIL PROTECTED]

Sent: Sunday, April 14, 2002 10:36 AM

Subject: Re: [Bridge] iptables

could you post more of what you are doing (code), it looks like you might be doing what i am trying to do

limit the x-fer rates by ip addresses for my network

----- Original Message -----

From: alex

To: [EMAIL PROTECTED]

Sent: Saturday, April 13, 2002 7:02 PM

Subject: [Bridge] iptables

Hello!

First, I want to thank the developers of this bridge for they're work. It really really helped me.

Now, the problems :-)

When I only had the bridge with no iptables patch it worked flawlessly but I really needed to limit the traffic from one interface to another and I installed the bridge firewall.

I had something like this (perl):

     system("$ipt -A internet -j internet_dn -d $ip -m limit --limit $viteza_dn/s --limit-burst $burst_dn -c $i_p $i_b");
     system("$ipt -A internet -j internet_up -s $ip -m limit --limit $viteza_up/s --limit-burst $burst_up -m mac --mac-source $m mac --mac-source $mac -c $o_p $o_b");

and it worked.

After the firewall code, it didn't worked anymore, and after 10 hours of trying possibilities I found that mac address was a lame fix (and unwanted but neccessary) and I changed the 2nd line in:

     system("$ipt -A internet -j internet_up -s $ip -m limit --limit $viteza_up/s --limit-burst $burst_up -c $o_p $o_b");

Well, it works now, but I can't limit the machine on mac address. Somebody would say that I sould use the arp daemon, but I only want to limit someone the access to the internet not on my machine (I also run samba there).

2nd problem is that Windows 2000/XP will not enter on a machine which is on the other side of the bridge with it's name (like \\machine) ... I have to type it's name: \\192.168.1.5

3rd is that I have another Inet server on the other side of the bridge and I can't use it's masquerading facility. It just don't work. The packets arrive at the machine but will not return. And this server reports that the packets comes from the bridging machine.

Any help would be apreciated. Thanks.

The forward chain is:

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       tcp -- !192.168.1.1          192.168.1.0/24     tcp dpts:61000:65095 // removing this line will not resove the 3rd problem
internet   all -- 192.168.1.0/24      !192.168.1.0/24
internet   all -- !192.168.1.0/24       192.168.1.0/24
intranet   tcp -- 192.168.1.0/24       192.168.1.0/24     tcp spt:139
intranet   tcp -- 192.168.1.0/24       192.168.1.0/24     tcp spt:445
DROP       tcp -- 192.168.1.0/24       192.168.1.0/24     tcp spt:139
DROP       tcp -- 192.168.1.0/24       192.168.1.0/24     tcp spt:445
ACCEPT     all -- 192.168.1.0/24       192.168.1.0/24
ACCEPT     udp -- 192.168.1.0/24       192.168.1.0/24

Chain internet_dn (14 references)
target     prot opt source               destination
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0          limit: avg 33/sec burst 38

Chain internet_up (14 references)
target     prot opt source               destination
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0          limit: avg 33/sec burst 38

Chain intranet (4 references)
target     prot opt source               destination
ACCEPT     all -- 0.0.0.0/0            0.0.0.0/0          limit: avg 250/sec burst 270

Chain INPUT (policy ACCEPT 70M packets, 60G bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.1.1        
MAC 00:40:33:55:0B:87 
    0     0 ACCEPT     all  --  *      *       192.168.1.1          192.168.1.1        
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        
tcp dpts:20:21 
   75  3780 ACCEPT     tcp  --  *      *       192.168.1.0/24       192.168.1.1        
tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *      !192.168.1.0/24       192.168.1.1        
tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        
tcp dpt:53 
    2    80 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        
tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        
tcp dpt:80 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1        
tcp dpt:113 
    5   278 intranet   tcp  --  eth2   *       0.0.0.0/0            192.168.1.0/24     
tcp dpt:139 
    0     0 DROP       tcp  --  eth2   *       0.0.0.0/0            192.168.1.0/24     
tcp dpt:139 
    0     0 ACCEPT     tcp  --  *      *       192.168.1.2          192.168.1.1        
tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       192.168.1.2          192.168.1.1        
tcp dpt:110 
    0     0 ACCEPT     tcp  --  *      *       192.168.1.3          192.168.1.1        
tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       192.168.1.3          192.168.1.1        
tcp dpt:110 
    0     0 DROP       tcp  --  *      *      !192.168.1.0/24       192.168.1.1        
tcp dpts:0:1023 
    0     0 DROP       tcp  --  *      *      !192.168.1.0/24       192.168.1.1        
tcp dpt:3306 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            192.168.1.1        
tcp dpt:6000 
    0     0 DROP       tcp  --  *      *       192.168.1.0/24       192.168.1.1        
tcp dpt:25 
    0     0 DROP       tcp  --  *      *       192.168.1.0/24       192.168.1.1        
tcp dpt:110


Chain FORWARD (policy DROP 15 packets, 5857 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 DROP       tcp  --  *      *      !192.168.1.1          192.168.1.0/24     
tcp dpts:61000:65095 
    8   362 internet   all  --  *      *       192.168.1.0/24      !192.168.1.0/24     
    6  5117 internet   all  --  *      *      !192.168.1.0/24       192.168.1.0/24     
    0     0 intranet   tcp  --  *      *       192.168.1.0/24       192.168.1.0/24     
tcp spt:139 
    0     0 intranet   tcp  --  *      *       192.168.1.0/24       192.168.1.0/24     
tcp spt:445 
    0     0 DROP       tcp  --  *      *       192.168.1.0/24       192.168.1.0/24     
tcp spt:139 
    0     0 DROP       tcp  --  *      *       192.168.1.0/24       192.168.1.0/24     
tcp spt:445 
    0     0 ACCEPT     all  --  *      *       192.168.1.0/24       192.168.1.0/24     
    0     0 ACCEPT     udp  --  *      *       192.168.1.0/24       192.168.1.0/24     

Chain OUTPUT (policy ACCEPT 70M packets, 65G bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    4   238 intranet   tcp  --  *      eth2    192.168.1.0/24       0.0.0.0/0          
tcp spt:139 
    0     0 DROP       tcp  --  *      eth2    192.168.1.0/24       0.0.0.0/0          
tcp spt:139 

Chain internet (2 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.2        
    0     0 ACCEPT     all  --  *      *       192.168.1.2          0.0.0.0/0          
 118K  114M ACCEPT     all  --  *      *       0.0.0.0/0            192.168.1.3        
 110K   11M ACCEPT     all  --  *      *       192.168.1.3          0.0.0.0/0          

Chain internet_dn (0 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
limit: avg 23/sec burst 28 

Chain internet_up (0 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
limit: avg 23/sec burst 28 

Chain intranet (4 references)
 pkts bytes target     prot opt in     out     source               destination        
 
    9   516 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
limit: avg 250/sec burst 270 
Chain PREROUTING (policy ACCEPT 34M packets, 31G bytes)
 pkts bytes target     prot opt in     out     source               destination        
 

Chain POSTROUTING (policy ACCEPT 46541 packets, 6032K bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
    0     0 SNAT       all  --  *      *       192.168.1.2          0.0.0.0/0          
to:192.168.1.1 
    0     0 SNAT       all  --  *      *       192.168.1.3          0.0.0.0/0          
to:192.168.1.1 

Chain OUTPUT (policy ACCEPT 27539 packets, 2194K bytes)
 pkts bytes target     prot opt in     out     source               destination

Re: [Bridge] iptables

Reply via email to