Bug#355285: marked as done (iptables changes mac adresses during runtime (corrected version))

Debian Bug Tracking System Sat, 19 Aug 2006 13:57:57 -0700

Your message dated Sat, 19 Aug 2006 16:13:04 -0400
with message-id <[EMAIL PROTECTED]>
and subject line iptables bts cleanup
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: iptables
Version: v1.2.11
Severity: grave
After some up time the mac adresses of my iptables filter are changing.I am using Debian GNU/Linux 3.1, kernel 2.4.27-2-k7
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// I am using my my own iptables script which will be started onstartup. The script is defined as follows: //
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# cat /etc/init.d/filter_masq
#! /bin/sh
# PacketFilterScript

case "$1" in
  start)
      echo -n "Turning on packet filtering:"
      echo 1 > /proc/sys/net/ipv4/ip_forward
      echo "."
      iptables -X
      iptables -F
      iptables -t nat -F

# POLICY START
      iptables -P INPUT DROP
      iptables -P FORWARD DROP
      iptables -P OUTPUT DROP
# POLICY STOP

# RULES START
#-------INPUT--------------------------------------------------------------------------------------------------------------------------------
      iptables -A INPUT -s 127.0.0.1/8 -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.1/8 -p tcp --dport 53:3306 -jACCEPT # domain:mysqliptables -A INPUT -s 127.0.0.1/8 -p udp --dport 53:3306 -jACCEPT # domain:mysql
      iptables -A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 53:2049 -jACCEPT # domain:nfsiptables -A INPUT -s 192.168.0.0/24 -p udp --dport 53:2049 -jACCEPT # domain:nfs
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) shodan.localnetiptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) shodan.localnet
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) osiris.localnetiptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) osiris.localnet
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) hhosch.localnetiptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) hhosch.localnetiptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -ptcp --dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) finn-poweriptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp--dport 3128:3130 -j ACCEPT # 3128:icpv2 (squid) finn-power
iptables -A INPUT -p tcp --dport 20:21 -jACCEPT # ftp-data:ftp
iptables -A INPUT -p tcp --dport 22 -jACCEPT # sshiptables -A INPUT -p udp --dport 22 -jACCEPT # ssh
iptables -A INPUT -p tcp --dport 53 -jACCEPT # domainiptables -A INPUT -p udp --dport 53 -jACCEPT # domain
iptables -A INPUT -p tcp --dport 80 -jACCEPT # httpiptables -A INPUT -p udp --dport 80 -jACCEPT # http
iptables -A INPUT -p tcp --dport 123 -jACCEPT # ntpiptables -A INPUT -p udp --dport 123 -jACCEPT # ntp
iptables -A INPUT -p tcp --dport 443 -jACCEPT # httpsiptables -A INPUT -p udp --dport 443 -jACCEPT # https
iptables -A INPUT -p tcp --dport 3306 -jACCEPT # mysqliptables -A INPUT -p udp --dport 3306 -jACCEPT # mysql
iptables -A INPUT -p tcp --dport 32768:65535 -jACCEPT # 32768:65535iptables -A INPUT -p udp --dport 32768:65535 -jACCEPT # 32768:65535
#-------FORWARD------------------------------------------------------------------------------------------------------------------------------
      iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -jACCEPT # shodan.localnetiptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -jACCEPT # osiris.localnetiptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -jACCEPT # hhosch.localnetiptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -jACCEPT # finn-power
#-------OUTPUT-------------------------------------------------------------------------------------------------------------------------------
      iptables -A OUTPUT -d 127.0.0.1/8 -p icmp -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/8 -p tcp --sport 53:3306 -jACCEPT # domain:mysqliptables -A OUTPUT -d 127.0.0.1/8 -p udp --sport 53:3306 -jACCEPT # domain:mysql
      iptables -A OUTPUT -d 192.168.0.0/24 -p icmp -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 53:2049 -jACCEPT # domain:nfsiptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 53:2049 -jACCEPT # domain:nfs
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp --sport 3128:3130 -jACCEPT # 3128:icpv2 (squid)iptables -A OUTPUT -d 192.168.0.0/24 -p udp --sport 3128:3130 -jACCEPT # 3128:icpv2 (squid)
iptables -A OUTPUT -p tcp --sport 20:21 -jACCEPT # ftp-data:ftp
iptables -A OUTPUT -p tcp --sport 22 -jACCEPT # sshiptables -A OUTPUT -p udp --sport 22 -jACCEPT # ssh
iptables -A OUTPUT -p tcp --sport 53 -jACCEPT # domainiptables -A OUTPUT -p udp --sport 53 -jACCEPT # domain
iptables -A OUTPUT -p tcp --sport 80 -jACCEPT # httpiptables -A OUTPUT -p udp --sport 80 -jACCEPT # http
iptables -A OUTPUT -p tcp --sport 123 -jACCEPT # ntpiptables -A OUTPUT -p udp --sport 123 -jACCEPT # ntp
iptables -A OUTPUT -p tcp --sport 443 -jACCEPT # httpsiptables -A OUTPUT -p udp --sport 443 -jACCEPT # https
iptables -A OUTPUT -p tcp --sport 3306 -jACCEPT # mysqliptables -A OUTPUT -p udp --sport 3306 -jACCEPT # mysql
iptables -A OUTPUT -p tcp --sport 32768:65535 -jACCEPT # 32768:65535iptables -A OUTPUT -p udp --sport 32768:65535 -jACCEPT # 32768:65535
#-------nat----------------------------------------------------------------------------------------------------------------------------------iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport 80-j REDIRECT --to 3128iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport443 -j REDIRECT --to 3128iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport8080 -j REDIRECT --to 3128
iptables -t nat -A POSTROUTING -p icmp -s 192.168.0.0/24 -o ppp0-j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 --dport20:123 -o ppp0 -j MASQUERADEiptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 --dport22:123 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/24 --dport995:65535 -o ppp0 -j MASQUERADEiptables -t nat -A POSTROUTING -p udp -s 192.168.0.0/24 --dport995:65535 -o ppp0 -j MASQUERADE
# RULES STOP

      ;;
  stop)
      echo -n "Turning off packet filtering:"
      echo 0 > /proc/sys/net/ipv4/ip_forward
      iptables -X
      iptables -F
      iptables -P INPUT ACCEPT
      iptables -P FORWARD ACCEPT
      iptables -P OUTPUT ACCEPT
      iptables -t nat -F
      echo "."
      ;;
  *)
      echo "Usage: { start | stop }"
      exit 1
      ;;
esac

exit 0
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// The rules after startup are the following://
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# /etc/init.d/filter_masq start
Turning on packet filtering:.
debian:/home/hgsch# iptables-L
Chain INPUT (policy DROP)
target prot opt source destination ACCEPTicmp -- 127.0.0.0/8 anywhere ACCEPT tcp --127.0.0.0/8 anywhere tcp dpts:domain:mysqlACCEPT udp -- 127.0.0.0/8 anywhere udpdpts:domain:mysqlACCEPT icmp -- localnet/24 anywhere ACCEPTtcp -- localnet/24 anywhere tcp dpts:domain:2049ACCEPT udp -- localnet/24 anywhere udpdpts:domain:2049ACCEPT tcp -- anywhere anywhere MAC00:20:ED:39:91:E7 tcp dpts:3128:icpv2ACCEPT udp -- anywhere anywhere MAC00:20:ED:39:91:E7 udp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:12:3F:D6:89:8A tcp dpts:3128:icpv2ACCEPT udp -- anywhere anywhere MAC00:12:3F:D6:89:8A udp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:13:D3:FD:20:FA tcp dpts:3128:icpv2ACCEPT udp -- anywhere anywhere MAC00:13:D3:FD:20:FA udp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:14:38:00:AB:A6 tcp dpts:3128:icpv2ACCEPT udp -- anywhere anywhere MAC00:14:38:00:AB:A6 udp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere tcpdpts:ftp-data:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     udp  --  anywhere             anywhere            udp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcpdpts:32768:65535ACCEPT udp -- anywhere anywhere udpdpts:32768:65535
Chain FORWARD (policy DROP)
target prot opt source destination ACCEPTall -- anywhere localnet/24 ACCEPT all --anywhere anywhere MAC 00:20:ED:39:91:E7ACCEPT all -- anywhere anywhere MAC00:12:3F:D6:89:8AACCEPT all -- anywhere anywhere MAC00:13:D3:FD:20:FAACCEPT all -- anywhere anywhere MAC00:14:38:00:AB:A6
Chain OUTPUT (policy DROP)
target prot opt source destination ACCEPTicmp -- anywhere 127.0.0.0/8 ACCEPT tcp --anywhere 127.0.0.0/8 tcp spts:domain:mysqlACCEPT udp -- anywhere 127.0.0.0/8 udpspts:domain:mysqlACCEPT icmp -- anywhere localnet/24 ACCEPTtcp -- anywhere localnet/24 tcp spts:domain:2049ACCEPT udp -- anywhere localnet/24 udpspts:domain:2049ACCEPT tcp -- anywhere localnet/24 tcpspts:3128:icpv2ACCEPT udp -- anywhere localnet/24 udpspts:3128:icpv2ACCEPT tcp -- anywhere anywhere tcpspts:ftp-data:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www
ACCEPT     udp  --  anywhere             anywhere            udp spt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
ACCEPT     udp  --  anywhere             anywhere            udp spt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql
ACCEPT     udp  --  anywhere             anywhere            udp spt:mysql
ACCEPT tcp -- anywhere anywhere tcpspts:32768:65535ACCEPT udp -- anywhere anywhere udpspts:32768:65535
debian:/home/hgsch#


///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// But after some up time the mac adresses of the iptables filter arechanging and the computers are unable to access the proxy server: //
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
debian:/home/hgsch# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination ACCEPTicmp -- 127.0.0.0/8 anywhere ACCEPT tcp --127.0.0.0/8 anywhere tcp dpts:domain:mysqlACCEPT udp -- 127.0.0.0/8 anywhere udpdpts:domain:mysqlACCEPT icmp -- localnet/24 anywhere ACCEPTtcp -- localnet/24 anywhere tcp dpts:domain:2049ACCEPT udp -- localnet/24 anywhere udpdpts:domain:2049ACCEPT tcp -- anywhere anywhere MAC00:20:ED:39:91:E7 tcp dpts:3128:icpv2ACCEPT udp -- anywhere anywhere MAC00:20:ED:39:91:E7 udp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:05:5D:F5:E8:FF tcp dpts:3128:icpv2ACCEPT udp -- anywhere anywhere MAC00:05:5D:F5:E8:FF udp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:05:5D:F6:10:BD tcp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:05:5D:F6:10:BD tcp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:12:3F:D6:89:8A tcp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:12:3F:D6:89:8A tcp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:14:38:00:AB:A6 tcp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere MAC00:14:38:00:AB:A6 tcp dpts:3128:icpv2ACCEPT tcp -- anywhere anywhere tcpdpts:ftp-data:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     udp  --  anywhere             anywhere            udp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
ACCEPT     udp  --  anywhere             anywhere            udp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcpdpts:32768:65535ACCEPT udp -- anywhere anywhere udpdpts:32768:65535
Chain FORWARD (policy DROP)
target prot opt source destination TCPMSStcp -- anywhere anywhere tcp flags:SYN,RST/SYNtcpmss match 1400:1536 TCPMSS clamp to PMTUACCEPT all -- anywhere localnet/24 ACCEPTall -- anywhere anywhere MAC 00:20:ED:39:91:E7ACCEPT all -- anywhere anywhere MAC00:05:5D:F5:E8:FFACCEPT all -- anywhere anywhere MAC00:05:5D:F6:10:BDACCEPT all -- anywhere anywhere MAC00:12:3F:D6:89:8AACCEPT all -- anywhere anywhere MAC00:14:38:00:AB:A6
Chain OUTPUT (policy DROP)
target prot opt source destination ACCEPTicmp -- anywhere 127.0.0.0/8 ACCEPT tcp --anywhere 127.0.0.0/8 tcp spts:domain:mysqlACCEPT udp -- anywhere 127.0.0.0/8 udpspts:domain:mysqlACCEPT icmp -- anywhere localnet/24 ACCEPTtcp -- anywhere localnet/24 tcp spts:domain:2049ACCEPT udp -- anywhere localnet/24 udpspts:domain:2049ACCEPT tcp -- anywhere localnet/24 tcpspts:3128:icpv2ACCEPT udp -- anywhere localnet/24 udpspts:3128:icpv2ACCEPT tcp -- anywhere anywhere tcpspts:ftp-data:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:domain
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www
ACCEPT     udp  --  anywhere             anywhere            udp spt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp spt:ntp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
ACCEPT     udp  --  anywhere             anywhere            udp spt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:mysql
ACCEPT     udp  --  anywhere             anywhere            udp spt:mysql
ACCEPT tcp -- anywhere anywhere tcpspts:32768:65535ACCEPT udp -- anywhere anywhere udpspts:32768:65535
--- End Message ---

--- Begin Message ---

276043 iptables: at least warn of leftover junk
317379 iptables: please provide initscript for reloading firewall rules at boot
360448 iptables: eats MAC addresses

Cleaning up stuff that will not be fixed or is just unfathomable. Sorry.

--- End Message ---

Bug#355285: marked as done (iptables changes mac adresses during runtime (corrected version))

Reply via email to