Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
Problems with iptables and bridge
Stefan.Sabolowitsch at feltengmbh
Aug 3, 2007, 3:08 AM
Post #1 of 1 (1537 views)
Permalink
Hi List,

I provided myself the following rule with mastershaper.
With load the rules all connections are blocked.

Kernel 2.6.19
Iptables 1.3.8
l7-filter
ip2route
ipp2p

All kernelmodule is loaded

Why?

Thank you for each assistance

Stefan



Chain PREROUTING (policy ACCEPT 2922 packets, 883K bytes)
pkts bytes target prot opt in out source
destination
1257 101K ms-prerouting all -- * * 0.0.0.0/0
0.0.0.0/0

Chain INPUT (policy ACCEPT 1851 packets, 708K bytes)
pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 2342 packets, 279K bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 600 packets, 605K bytes)
pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 2925 packets, 883K bytes)
pkts bytes target prot opt in out source
destination
1105 79454 ms-all-chains all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out eth1
146 16690 ms-all-chains all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out eth0

Chain ms-all (2 references)
pkts bytes target prot opt in out source
destination
0 0 MARK all -- * * 0.0.0.0/0
192.168.100.0/24 PHYSDEV match --physdev-in eth0 MARK set 0x78512774
0 0 RETURN all -- * * 0.0.0.0/0
192.168.100.0/24 PHYSDEV match --physdev-in eth0
1105 79454 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0 MARK set 0x537c74b1
1105 79454 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0
0 0 MARK all -- * * 192.168.100.0/24
0.0.0.0/0 PHYSDEV match --physdev-in eth1 MARK set 0xc0ed4017
0 0 RETURN all -- * * 192.168.100.0/24
0.0.0.0/0 PHYSDEV match --physdev-in eth1
146 16690 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1 MARK set 0xebc013d6
146 16690 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1

Chain ms-all-chains (2 references)
pkts bytes target prot opt in out source
destination
0 0 ms-chain-eth1-1:11 all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0x78512774
1105 79454 ms-chain-eth1-1:21 all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0x537c74b1
0 0 ms-chain-eth0-1:11 all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0xc0ed4017
146 16690 ms-chain-eth0-1:21 all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK match 0xebc013d6

Chain ms-chain-eth0-1:11 (1 references)
pkts bytes target prot opt in out source
destination
Chain ms-chain-eth0-1:21 (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 5008,5009 CLASSIFY set 1:22
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 5008,5009
0 0 CLASSIFY tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 20,21,80,443 CLASSIFY set 1:23
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 20,21,80,443
146 16690 CLASSIFY all -- * * 0.0.0.0/0
0.0.0.0/0 CLASSIFY set 1:299
146 16690 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0

Chain ms-chain-eth1-1:11 (1 references)
pkts bytes target prot opt in out source
destination

Chain ms-chain-eth1-1:21 (1 references)
pkts bytes target prot opt in out source
destination
0 0 CLASSIFY udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 5008,5009 CLASSIFY set 1:22
0 0 RETURN udp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 5008,5009
0 0 CLASSIFY tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 20,21,80,443 CLASSIFY set 1:23
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport ports 20,21,80,443
1105 79454 CLASSIFY all -- * * 0.0.0.0/0
0.0.0.0/0 CLASSIFY set 1:299
1105 79454 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0

Chain ms-prerouting (1 references)
pkts bytes target prot opt in out source
destination
1257 101K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
1105 79454 ms-all all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth0
146 16690 ms-all all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1
1257 101K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK save

/sbin/tc qdisc add dev eth1 handle 1: root hfsc default 1
/sbin/iptables -t mangle -N ms-all
/sbin/iptables -t mangle -N ms-all-chains
/sbin/iptables -t mangle -N ms-prerouting
/sbin/iptables -t mangle -A PREROUTING -j ms-prerouting
/sbin/iptables -t mangle -A ms-prerouting -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A ms-prerouting -m physdev --physdev-in eth0
-j ms-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-out eth1 -j
ms-all-chains
/sbin/tc class add dev eth1 parent 1: classid 1:1 hfsc sc rate
102400Kbit ul rate 102400Kbit
/sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
######### Incoming Rules
######### chain DMZ-ignore
/sbin/iptables -t mangle -N ms-chain-eth1-1:11
/sbin/iptables -t mangle -A ms-all-chains -m connmark --mark 0x78512774
-j ms-chain-eth1-1:11
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth0 -d
192.168.100.0/24 -j MARK --set-mark 0x78512774
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth0 -d
192.168.100.0/24 -j RETURN
######### chain WAN
/sbin/tc class add dev eth1 parent 1:1 classid 1:21 hfsc sc rate
2048Kbit rt rate 2048Kbit
/sbin/iptables -t mangle -N ms-chain-eth1-1:21
/sbin/iptables -t mangle -A ms-all-chains -m connmark --mark 0x537c74b1
-j ms-chain-eth1-1:21
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth0 -j MARK
--set-mark 0x537c74b1
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth0 -j
RETURN
######### generating pipes for WAN
######### pipe VoIP-Traffic
/sbin/tc class add dev eth1 parent 1:21 classid 1:22 hfsc sc umax 1500b
dmax 100ms rate 368Kbit ul rate 760Kbit rt umax 1500b dmax 100ms rate
368Kbit ul rate 760Kbit
/sbin/tc qdisc add dev eth1 handle 22: parent 1:22 hfsc
/sbin/iptables -t mangle -A ms-chain-eth1-1:21 -p 17 -m multiport --port
5008,5009 -j CLASSIFY --set-class 1:22
/sbin/iptables -t mangle -A ms-chain-eth1-1:21 -p 17 -m multiport --port
5008,5009 -j RETURN
######### pipe Web-Traffic
/sbin/tc class add dev eth1 parent 1:21 classid 1:23 hfsc sc umax 1500b
dmax 250ms rate 128Kbit ul rate 256Kbit rt umax 1500b dmax 250ms rate
128Kbit ul rate 256Kbit
/sbin/tc qdisc add dev eth1 handle 23: parent 1:23 hfsc
/sbin/iptables -t mangle -A ms-chain-eth1-1:21 -p 6 -m multiport --port
20,21,80,443 -j CLASSIFY --set-class 1:23
/sbin/iptables -t mangle -A ms-chain-eth1-1:21 -p 6 -m multiport --port
20,21,80,443 -j RETURN
/sbin/tc class add dev eth1 parent 1:21 classid 1:299 hfsc sc rate
256Kbit ul rate 10240Kbit rt rate 256Kbit ul rate 10240Kbit
/sbin/tc qdisc add dev eth1 handle 299: parent 1:299 hfsc
/sbin/iptables -t mangle -A ms-chain-eth1-1:21 -j CLASSIFY --set-class
1:299
/sbin/iptables -t mangle -A ms-chain-eth1-1:21 -j RETURN



/sbin/tc qdisc add dev eth0 handle 1: root hfsc default 1
/sbin/iptables -t mangle -A ms-prerouting -m physdev --physdev-in eth1
-j ms-all
/sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-out eth0 -j
ms-all-chains
/sbin/tc class add dev eth0 parent 1: classid 1:1 hfsc sc rate
102400Kbit ul rate 102400Kbit
/sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0
classid 1:1
######### Outgoing Rules
######### chain DMZ-ignore
/sbin/iptables -t mangle -N ms-chain-eth0-1:11
/sbin/iptables -t mangle -A ms-all-chains -m connmark --mark 0xc0ed4017
-j ms-chain-eth0-1:11
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth1 -s
192.168.100.0/24 -j MARK --set-mark 0xc0ed4017
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth1 -s
192.168.100.0/24 -j RETURN
######### chain WAN
/sbin/tc class add dev eth0 parent 1:1 classid 1:21 hfsc sc rate
2048Kbit rt rate 2048Kbit
/sbin/iptables -t mangle -N ms-chain-eth0-1:21
/sbin/iptables -t mangle -A ms-all-chains -m connmark --mark 0xebc013d6
-j ms-chain-eth0-1:21
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth1 -j MARK
--set-mark 0xebc013d6
/sbin/iptables -t mangle -A ms-all -m physdev --physdev-in eth1 -j
RETURN
######### generating pipes for WAN
######### pipe VoIP-Traffic
/sbin/tc class add dev eth0 parent 1:21 classid 1:22 hfsc sc umax 1500b
dmax 100ms rate 368Kbit ul rate 760Kbit rt umax 1500b dmax 100ms rate
368Kbit ul rate 760Kbit
/sbin/tc qdisc add dev eth0 handle 22: parent 1:22 hfsc
/sbin/iptables -t mangle -A ms-chain-eth0-1:21 -p 17 -m multiport --port
5008,5009 -j CLASSIFY --set-class 1:22
/sbin/iptables -t mangle -A ms-chain-eth0-1:21 -p 17 -m multiport --port
5008,5009 -j RETURN
######### pipe Web-Traffic
/sbin/tc class add dev eth0 parent 1:21 classid 1:23 hfsc sc umax 1500b
dmax 250ms rate 128Kbit ul rate 256Kbit rt umax 1500b dmax 250ms rate
128Kbit ul rate 256Kbit
/sbin/tc qdisc add dev eth0 handle 23: parent 1:23 hfsc
/sbin/iptables -t mangle -A ms-chain-eth0-1:21 -p 6 -m multiport --port
20,21,80,443 -j CLASSIFY --set-class 1:23
/sbin/iptables -t mangle -A ms-chain-eth0-1:21 -p 6 -m multiport --port
20,21,80,443 -j RETURN
/sbin/tc class add dev eth0 parent 1:21 classid 1:299 hfsc sc rate
256Kbit ul rate 10240Kbit rt rate 256Kbit ul rate 10240Kbit
/sbin/tc qdisc add dev eth0 handle 299: parent 1:299 hfsc
/sbin/iptables -t mangle -A ms-chain-eth0-1:21 -j CLASSIFY --set-class
1:299
/sbin/iptables -t mangle -A ms-chain-eth0-1:21 -j RETURN
/sbin/iptables -t mangle -A ms-prerouting -j CONNMARK --save-mark

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal