Bridging interfaces and the internet
Paul Howarth
paul at city-fan.org
Tue Nov 1 13:48:17 UTC 2005
Justin Willmert wrote:
> Paul Howarth wrote:
>
>> Nigel Wade wrote:
>>
>>> Justin Willmert wrote:
>>>
>>>> I just set up a desktop with two network cards and have got a bridge
>>>> working between the two. That is not what my problem lies in though.
>>>> I would like for the box to be able to connect to the internet also,
>>>> but if I understand what I've set up correctly, I can't do that with
>>>> my current setup. When I've tried to give one of the network cards
>>>> an IP address, nothing but lo works, so I know there's something
>>>> missing. I'll add my configuration at the bottom, but shortly, br0
>>>> is configured with an IP address, and eth0 and eth1 have none. Now,
>>>> I know br0 is capable of at least a network connection because as I
>>>> type this, I'm currently SSHed into into the box, but if I try to
>>>> ping anything, all the packets are lost.
>>
>>
>>
>> What IP address are you ssh'ed into the box from? Can you ssh back to
>> that IP from the bridge machine? Might the ping issue be due to
>> firewall rules (e.g. blocking ICMP packets)?
>>
>
> OK, I thought I had my firewall set up correctly, because I had a
> default policy to accept on the OUTPUT and FORWARD chains so I never
> thought that'd be a problem, but when I shut it off, it does work. So
> now I guess my question would be, what special rules do I need to create
> to allow this bridge setup to work with a firewall? Here is my firewall
> script.
>
>
> ===================== setup-firewall-rules =====================
> #!/bin/sh
>
> # Delete all rules
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
>
> # Setup policies
> iptables --policy INPUT DROP
> iptables --policy OUTPUT ACCEPT
> iptables --policy FORWARD ACCEPT
>
> # Always trust the loopback interface
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # Enable packet forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Allow already opened connections
> # (Only need INPUT right now 'cause it's the only one with DROP policy)
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Accept SSH connections
> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
> # Accept VNC connections
> iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT
> iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
I'm not an iptables or firewall expert so I may be wrong but it looks to
me like the default DROP policy for the INPUT chain may be the issue. I
think connection tracking may only work with TCP-based protocols such as
ssh, which means that ICMP (e.g. ping) and UDP (e.g. DNS) may be
problematic with this configuration. You may have to add rules to allow
these types of traffic in.
> The 10 second pause in the ouput also has to do with the firewall. When
> I shut down the firewall, it shows up immediately.
That's probably a DNS issue. Try using the "-n" option to "route" to
turn off DNS lookups and see if you still get the delay with the
firewall on.
Paul.
More information about the fedora-list
mailing list