[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#360448: iptables damages mac rules with kernel-image-2.4.27-3-k7

Package: kernel-image-2.4.27-3-k7
Version: 2.4
Severity: grave
I am using my own iptables script where I execute the following iptables commands on startup: iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp --dport 3128:3130 -j ACCEPT iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp --dport 3128:3130 -j ACCEPT 

iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j ACCEPT


When the server is up, the mac rules are correct like this:
debian:~# iptables -L 
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT tcp -- anywhere anywhere MAC 00:20:ED:39:91:E7 tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:20:ED:39:91:E7 udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:12:3F:D6:89:8A tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:12:3F:D6:89:8A udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:13:D3:FD:20:FA tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:13:D3:FD:20:FA udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:14:38:00:AB:A6 tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:14:38:00:AB:A6 udp dpts:3128:icpv2 

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere MAC 00:20:ED:39:91:E7 ACCEPT all -- anywhere anywhere MAC 00:12:3F:D6:89:8A ACCEPT all -- anywhere anywhere MAC 00:13:D3:FD:20:FA ACCEPT all -- anywhere anywhere MAC 00:14:38:00:AB:A6 


But after some up time the mac rules are morphing like this:
debian:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT tcp -- anywhere anywhere MAC 00:20:ED:39:91:E7 tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:20:ED:39:91:E7 udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:05:5D:F5:E8:FF tcp dpts:3128:icpv2 ACCEPT udp -- anywhere anywhere MAC 00:05:5D:F5:E8:FF udp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:05:5D:F6:10:BD tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:05:5D:F6:10:BD tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:12:3F:D6:89:8A tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:12:3F:D6:89:8A tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:14:38:00:AB:A6 tcp dpts:3128:icpv2 ACCEPT tcp -- anywhere anywhere MAC 00:14:38:00:AB:A6 tcp dpts:3128:icpv2 

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere MAC 00:20:ED:39:91:E7 ACCEPT all -- anywhere anywhere MAC 00:05:5D:F5:E8:FF ACCEPT all -- anywhere anywhere MAC 00:05:5D:F6:10:BD ACCEPT all -- anywhere anywhere MAC 00:12:3F:D6:89:8A ACCEPT all -- anywhere anywhere MAC 00:14:38:00:AB:A6
Now is the computer with the mac address 00:13:D3:FD:20:FA unable to access the squid proxy server on port 3128 because the mac adress is completly missing.
Reply to: