lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <925A849792280C4E80C5461017A4B8A2A0487A@mail733.InfraSupportEtc.com>
Date:	Sat, 26 Nov 2011 02:27:12 -0600
From:	"Greg Scott" <GregScott@...rasupport.com>
To:	<netdev@...r.kernel.org>
Subject: RE: ebtables on a stick

I have a situation that needs to route mostly and bridge only a little bit.  

I have a private internal LAN, 192.168.10.nnn.  But one host in the internal side needs a real public IP Address, call it 1.2.115.157.  

I have a Linux firewall set up with ebtables.  Interface eth0 faces the Internet and has an IP Address of 1.2.115.146.  Interface eth1 is on the LAN side with IP Address  192.168.10.1.  Bridge br0 currently has no IP Address and bridges eth0 and eth1.  Everyone on the LAN side except my public IP Address host uses the private side of the firewall at 192.160.10.1 for default gateway.  The public IP Address host uses the public side of the firewall at 1.2.115.146 for default gateway.  

The challenge - I need my public IP Address host to communicate with everyone around the Internet, including the private LAN – and I’ll filter that appropriately with iptables.  Everything else should route traditionally.  

This mostly works, except I am having trouble communicating with hosts in the private LAN.  I can communicate anywhere else on the Internet as long as I don’t try to use my own DNS servers in the private LAN to translate names.   After studying ebtables examples and tons of trial and error, I still don’t get it.  Here are the ebtables rules:

[root@...c-fw2011 firewall-scripts]# ebtables -t broute -Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 9, policy: ACCEPT
-p IPv4 --ip-src 1.2.115.157 -j ACCEPT
-p IPv4 --ip-dst 1.2.115.157 -j ACCEPT
-p ARP --arp-ip-src 1.2.115.157 -j ACCEPT
-p ARP --arp-ip-dst 1.2.115.157 -j ACCEPT
-j redirect  --redirect-target DROP
[root@...c-fw2011 firewall-scripts]#

When my public IP host pings the Internal LAN, the internal LAN host replies.   Watching tcpdump from the firewall, I can see the echo request come in and go out on both br0 and eth1 and  I see the echo reply come back on eth1.  But then the  reply dies and I never send it back out eth1 over the wire.   And when a private host pings the public host, the echo request dies at the firewall.    So somehow, I am having trouble getting private→public traffic out of br0 and onto eth1.  

What am I missing?

Thanks

- Greg Scott

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ