[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#360447: marked as done (iptables damages mac rules with kernel-image-2.4.27-3-k7)



Your message dated Sun, 2 Apr 2006 10:31:14 -0600
with message-id <20060402163113.GA6283@colo>
and subject line closing duplicate of #360448
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: kernel-image-2.4.27-3-k7
Version: 2.4
Severity: |grave


|I am using my own iptables script where I execute the following iptables commands on startup: iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp --dport 3128:3130 -j ACCEPT

 iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j ACCEPT
 iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j ACCEPT
 iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j ACCEPT
 iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j ACCEPT


When the server is up, the mac rules are correct like this:
debian:~# iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
ACCEPT tcp -- anywhere anywhere MAC 00:20:ED:39:91:E7 tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:20:ED:39:91:E7 udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:12:3F:D6:89:8A tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:12:3F:D6:89:8A udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:13:D3:FD:20:FA tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:13:D3:FD:20:FA udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:14:38:00:AB:A6 tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:14:38:00:AB:A6 udp dpts:3128:icpv2

 Chain FORWARD (policy DROP)
 target     prot opt source               destination
ACCEPT all -- anywhere anywhere MAC 00:20:ED:39:91:E7 ACCEPT all -- anywhere anywhere MAC 00:12:3F:D6:89:8A ACCEPT all -- anywhere anywhere MAC 00:13:D3:FD:20:FA ACCEPT all -- anywhere anywhere MAC 00:14:38:00:AB:A6


But after some up time the mac rules are morphing like this:
 debian:~# iptables -L
 Chain INPUT (policy DROP)
 target     prot opt source               destination
ACCEPT tcp -- anywhere anywhere MAC 00:20:ED:39:91:E7 tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:20:ED:39:91:E7 udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:05:5D:F5:E8:FF tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:05:5D:F5:E8:FF udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:05:5D:F6:10:BD tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:05:5D:F6:10:BD tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:12:3F:D6:89:8A tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:12:3F:D6:89:8A tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:14:38:00:AB:A6 tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:14:38:00:AB:A6 tcp dpts:3128:icpv2

 Chain FORWARD (policy DROP)
 target     prot opt source               destination
ACCEPT all -- anywhere anywhere MAC 00:20:ED:39:91:E7 ACCEPT all -- anywhere anywhere MAC 00:05:5D:F5:E8:FF ACCEPT all -- anywhere anywhere MAC 00:05:5D:F6:10:BD ACCEPT all -- anywhere anywhere MAC 00:12:3F:D6:89:8A ACCEPT all -- anywhere anywhere MAC 00:14:38:00:AB:A6


Now is the computer with the mac address 00:13:D3:FD:20:FA unable to access the squid proxy server on port 3128 because the mac adress is completly missing.



--- End Message ---
--- Begin Message ---
-- 
dann frazier


--- End Message ---

Reply to: