On Mon, Jan 30, 2012 at 7:03 AM, Levi Pearson <[email protected]> wrote: > I am not a general expert on Linux networking, but I know enough about nic > drivers to strongly doubt that the driver or card are to blame for this. > > I suggest a deeper exploration of the options to the iptables command, > because "iptables -L" barely scratches the surface of what it can tell you. > It is actually my go-to tool for diagnosing any network problem regarding > the forwarding of packets in Linux. > > I would give more details, but I don't know the options off the top of my > head and I am typing this on my phone. Good luck!
I don't know if you've looked at this any further yet or not, but I am now on a real computer with access to man pages, so I can give some more details. First, the iptables dump you gave is missing a lot of information that is actually contained in the table you are looking at. If you give the -v and -x arguments, you will get much more detailed and specific information regarding which interface the rule belongs to as well as counters that will tell you how much traffic that rule has applied to. Watching these counters will tell you where, if it's happening due to a rule, the packets you're sending are getting dropped. Second, this is only the output from one table. There are other tables as well that you should look like, especially the nat table. Use '-t nat' to see the nat table, which is applied first for any packet that creates a new connection. There may be some relevant rules there, though it's likely the filter table that's causing your issue. I know you shut off netfiltering for the bridge devices, but there are plenty of other points where things could be getting blocked. You'll notice you have 3 REJECT rules in the FORWARD chain that apply from anywhere to anywhere, but adding -v will show you the information which differentiates them, which is the in/out interfaces that it will apply to. You'll also want to know which interfaces the ACCEPT rules apply to. Also, looking at ifconfig for packet stats on your interfaces while you're trying to transfer across a broken path might give you an idea of where things are broken, and you can do a tcpdump filtered on ICMP traffic on each of the interfaces while pinging to verify where they stop. That shouldn't involve a whole lot of setup overhead. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
