Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
eth to wifi bridge and iptables
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Fri Oct 27, 2017 10:04 pm    Post subject: eth to wifi bridge and iptables Reply with quote

Hi all,

My server is connected to my router by ethernet. It also containes a wifi card which is bridged to the ethernet card to act as wifi access point. All is working fine so far.

But to be able to use docker containers i need iptables running. If i start iptables on the server it becomes impossible to reach the internet through my wifi. If i connect to one of the ethernet ports from the switch all works fine.

I probably need to add a rule to the iptables, can anyone help me with that?

image of the layout below:
https://ikhebeenboot.nl/layout.png

/etc/conf.d/net
Code:

config_eth0="null"
config_wlan0="null"

modules_wlan0="!wpa_supplicant !iwconfig"

rc_net_br0_need="net.eth0 net.wlan0 hostapd"
brctl_br0="setfd 0 sethello 10 waitport 10 stp off"
bridge_br0="eth0 wlan0"
modules_br0="ifconfig"
config_br0="192.168.178.1/24 brd 192.168.178.255"
routes_br0="default via 192.168.178.254"
dns_servers_br0="208.67.222.222 208.67.220.220"



/etc/hostapd/hostapd.conf
Code:

interface=wlan0
bridge=br0
driver=nl80211
country_code=NL
ssid=***********
hw_mode=g
channel=4
wpa=2
wpa_passphrase=**********
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0


iptables -L

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-SSH    tcp  --  anywhere             anywhere             tcp dpt:**

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  anywhere             anywhere           
DOCKER     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere           

Chain f2b-SSH (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere   
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Sat Oct 28, 2017 2:43 pm    Post subject: Reply with quote

Hi,

you should be able to connect to the internet again, as soon as you allow forwarding traffic from the wireless to the ethernet interface, since the forward policy is set to drop.

either you set the default forward policy to accept, or you create a new rule, which allows forwarding traffic for the needed devices.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Sat Oct 28, 2017 3:57 pm    Post subject: Reply with quote

I think your iptables -L output is wrong or misleading (which is why I always tell people to post the machine-readable iptables-save output instead). You have two FORWARD rules that appear to allow everything, yet they are insufficient. Most likely, there are unshown qualifiers that cause them not to match. iptables-save would show these qualifiers.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Sat Oct 28, 2017 6:18 pm    Post subject: Reply with quote

Hi,

damn Hu, youre right, i've overseen this. "iptables -L -nv" should do the trick, to show up the more detailed information you or we may need.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Sun Oct 29, 2017 6:36 am    Post subject: Reply with quote

Code:

Chain INPUT (policy ACCEPT 10M packets, 22G bytes)
 pkts bytes target     prot opt in     out     source               destination   
 5639  376K f2b-SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:**

Chain FORWARD (policy DROP 5588 packets, 672K bytes)
 pkts bytes target     prot opt in     out     source               destination   
 147K  161M DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0
86412  157M DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0     
86412  157M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
54762 3261K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0   
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0   

Chain OUTPUT (policy ACCEPT 6051K packets, 10G bytes)
 pkts bytes target     prot opt in     out     source               destination   

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination   

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination   
 147K  161M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0     

Chain f2b-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination   
 5639  376K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0     
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Sun Oct 29, 2017 8:35 am    Post subject: Reply with quote

Hi,

as expected... As i already said, add rules for allowing traffic from your wireless to your lan, since you block all traffic forwarded except for the docker interface (docker0).

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Sun Oct 29, 2017 11:46 am    Post subject: Reply with quote

Hi,

Thanks!
I added the following rules:

Code:

iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT


iptables-save output:

Code:
# Generated by iptables-save v1.4.21 on Sun Oct 29 12:48:10 2017
*nat
:PREROUTING ACCEPT [12104:1040817]
:INPUT ACCEPT [6546:620952]
:OUTPUT ACCEPT [3097:217705]
:POSTROUTING ACCEPT [3097:217705]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Oct 29 12:48:10 2017
# Generated by iptables-save v1.4.21 on Sun Oct 29 12:48:10 2017
*mangle
:PREROUTING ACCEPT [7951368650:8498340769118]
:INPUT ACCEPT [7951124625:8498172423181]
:FORWARD ACCEPT [154131:162298474]
:OUTPUT ACCEPT [6719819482:9601179874504]
:POSTROUTING ACCEPT [6720031362:9601367656517]
COMMIT
# Completed on Sun Oct 29 12:48:10 2017
# Generated by iptables-save v1.4.21 on Sun Oct 29 12:48:10 2017
*filter
:INPUT ACCEPT [104973:33409587]
:FORWARD DROP [722:64593]
:OUTPUT ACCEPT [106335:152951741]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:f2b-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport ** -j f2b-SSH
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A f2b-SSH -j RETURN
COMMIT
# Completed on Sun Oct 29 12:48:10 2017


But still no way of connecting to the internet when connected via Wifi. I am a real iptables noob, are those rules correct?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Sun Oct 29, 2017 12:29 pm    Post subject: Reply with quote

paulusbrand,

What is in /proc//sys/net/ipv4/ip_forward ?
It needs to be 1, so that the kernel will forward packets.

As your two interfaces are donated to br0, I don't think that you can write iptables rules for them.
A bridge is the software equivalent of a hub. All packets appear on all ports.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Sun Oct 29, 2017 1:38 pm    Post subject: Reply with quote

forwarding is enabled. /proc/sys/net/ipv4/ip_forward is 1.

Maybe i shoudn't use a bridge but add a masquerade rule to forward packages between eth0 and wlan0?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Sun Oct 29, 2017 2:37 pm    Post subject: Reply with quote

paulusbrand,

Masquerading has its own complications. Lets see if we can narrow it down a little.
From the server, do
Code:
ping 8.8.8.8

Thats a google public nameserver. No name resolution is requiied.
If that works,
Code:
ping google.com
if that works, name resolution from the sever woks too.

If both work, move to a wifi connected system.
From threre,
Code:
ping 192.168.178.1
needs to work. That's br0 in the server.
Without that there is no WiFi connecivity anywhere.
If that works try
Code:
ping 8.8.8.8
and
Code:
ping google.com


Report the first failure.

Change your DROP policies to REJECT meanwhile. DROP throws away packets silently.
REJECT will produce a message.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Sun Oct 29, 2017 4:13 pm    Post subject: Reply with quote

Both work on the server with iptables enabled.

On wifi client 192.168.178.1 works 8.8.8.8 does not.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Sun Oct 29, 2017 4:32 pm    Post subject: Reply with quote

With the right kernel configuration options set (BRIDGE_NETFILTER is required, but may not be sufficient for all purposes), iptables can filter bridges. This can lead to great havoc if you aren't expecting it, particularly since the rules to use when you filter bridged traffic are not the same rules you use to filter that same traffic in non-bridged mode. If I recall correctly, when filtering a bridge, the interface names are set to the bridge name and you need to use the iptables extension match physdev to get the names of the underlying interfaces that the bridge is using for this packet. See man iptables-extensions module physdev. Thus, the rules you added in the post where you provided iptables-save output are likely not matching at all, and so do you no good. You need to rewrite them to use physdev matches. This might work (untested):
Code:
iptables -A FORWARD -i br0 --physdev-in eth0 --physdev-out wlan0 -j ACCEPT
iptables -A FORWARD -i br0 --physdev-in wlan0 --physdev-out eth0 -j ACCEPT


It's also possible that you are not filtering the bridge at all, but instead have some other problem, in which case nothing in this post applies to you. However, the curious timing that everything broke when you added iptables to an otherwise working bridge makes me suspect this does apply to you.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Sun Oct 29, 2017 4:40 pm    Post subject: Reply with quote

paulusbrand,

Did the REJECT policy produce an error message?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Sun Oct 29, 2017 5:43 pm    Post subject: Reply with quote

Not yet, ill try tomorrow. Thx so far!
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Mon Oct 30, 2017 9:04 am    Post subject: Reply with quote

I can't seem to change the default policy on the forward chain?

Code:

server paul # iptables --policy FORWARD REJECT
iptables: Bad policy name. Run `dmesg' for more information.



Code:

server paul # iptables --policy FORWARD ACCEPT

I can set it to ACCEPT, then everything works.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Mon Oct 30, 2017 9:55 am    Post subject: Reply with quote

Hi,

instead of:
Code:

iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT


try the following:
Code:

iptables -I FORWARD 1 -i eth0 -o wlan0 -j ACCEPT
iptables -I FORWARD 2-i wlan0 -o eth0 -j ACCEPT


greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Mon Oct 30, 2017 12:07 pm    Post subject: Reply with quote

Too bad, not working

Code:

Chain INPUT (policy ACCEPT 27527 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination         
58208 3597K f2b-SSH    tcp  --  any    any     anywhere             anywhere             tcp dpt:32

Chain FORWARD (policy DROP 211 packets, 24417 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   wlan0   anywhere             anywhere           
    0     0 ACCEPT     all  --  wlan0  eth0    anywhere             anywhere           
1231K 1225M DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere           
15419   29M DOCKER     all  --  any    docker0  anywhere             anywhere           
15419   29M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
10376  585K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT 25647 packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
1231K 1225M RETURN     all  --  any    any     anywhere             anywhere           

Chain f2b-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
58208 3597K RETURN     all  --  any    any     anywhere             anywhere   
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Mon Oct 30, 2017 1:44 pm    Post subject: Reply with quote

Hi,

as i can see from the output, there were no packets analysed by the forwarding rules. Can you please post an output of "ifconfig -a" and "brctl show" please?

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Mon Oct 30, 2017 5:15 pm    Post subject: Reply with quote

Code:

br0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet 192.168.178.1  netmask 255.255.255.0  broadcast 192.168.178.255
        inet6 fe80::4e72:b9ff:fe43:c6ba  prefixlen 64  scopeid 0x20<link>
        ether 4c:72:b9:43:c6:ba  txqueuelen 1000  (Ethernet)
        RX packets 18815207  bytes 13178462066 (12.2 GiB)
        RX errors 0  dropped 4  overruns 0  frame 0
        TX packets 17727955  bytes 17824347999 (16.6 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        inet6 fe80::42:e9ff:fecf:4ded  prefixlen 64  scopeid 0x20<link>
        ether 02:42:e9:cf:4d:ed  txqueuelen 0  (Ethernet)
        RX packets 46994  bytes 2571920 (2.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 77392  bytes 149452468 (142.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

dummy0: flags=130<BROADCAST,NOARP>  mtu 1500
        ether 52:25:e1:d3:6e:ee  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::4e72:b9ff:fe43:c6ba  prefixlen 64  scopeid 0x20<link>
        ether 4c:72:b9:43:c6:ba  txqueuelen 1000  (Ethernet)
        RX packets 19046458  bytes 13283868190 (12.3 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22166432  bytes 18195512575 (16.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xfe700000-fe720000 

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::4e72:b9ff:fe43:c6bb  prefixlen 64  scopeid 0x20<link>
        ether 4c:72:b9:43:c6:bb  txqueuelen 1000  (Ethernet)
        RX packets 1738202  bytes 997991289 (951.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28833  bytes 2473432 (2.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17  memory 0xfe500000-fe520000 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 70196  bytes 131437292 (125.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 70196  bytes 131437292 (125.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

macvtap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::5054:ff:feef:5348  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:ef:53:48  txqueuelen 500  (Ethernet)
        RX packets 67197  bytes 105104543 (100.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16812  bytes 1255962 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480
        sit  txqueuelen 1000  (IPv6-in-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tunl0: flags=128<NOARP>  mtu 1480
        tunnel   txqueuelen 1000  (IPIP Tunnel)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethdcb73b3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::b09b:a9ff:fe94:ea0  prefixlen 64  scopeid 0x20<link>
        ether b2:9b:a9:94:0e:a0  txqueuelen 0  (Ethernet)
        RX packets 36592  bytes 2497515 (2.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 61966  bytes 120018749 (114.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::a2f3:c1ff:fe27:3bcb  prefixlen 64  scopeid 0x20<link>
        ether a0:f3:c1:27:3b:cb  txqueuelen 1000  (Ethernet)
        RX packets 633593  bytes 300227881 (286.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 933307  bytes 1212974010 (1.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Code:

bridge name   bridge id      STP enabled   interfaces
br0      8000.4c72b943c6ba   no      eth0
                     wlan0
docker0      8000.0242e9cf4ded   no      vethdcb73b3
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Wed Nov 01, 2017 8:56 am    Post subject: Reply with quote

Hi,

ok, it looks as expected. I would suggest to change the firewall rule for testing to the following:

Code:

iptables -I FORWARD 1 -i br0 -J ACCEPT
iptables -I FORWARD 2 -o br0 -j ACCEPT


Just try this out and please report back.

greets, bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Wed Nov 01, 2017 12:21 pm    Post subject: Reply with quote

As br0 appears to be forwarding nothing, hosts on wifi won't have any DHCP set up either ...
but they can ping the bridge, so they have a useful IP address somehow (not link local 169. ...)

bridges are transparent. There is no concept of forwarding across a bridge.

How do the wifi clients get their IP address and routing information?
Please post route -n and ifconfig from a wifi connected system and tell if the setup is static or dhcp.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Wed Nov 01, 2017 1:23 pm    Post subject: Reply with quote

Yeah, bridges are transparent, but the firewall doesnt really know this. I have played a bit with iptables Logging rules, to check whether i can get some logs while creating traffic over a bridge. I modified the rules according to this a bit ;)

Code:

iptables -A FORWARD -i br0 -m physdev --physdev-in wlan0 -j LOG --log-prefix "WLAN forwarded: "


I got an log like this, when pinging the target system:

Code:

Nov  1 14:16:58 raspi kernel: [547374.255538] Forward: IN=br0 OUT=br0 PHYSIN=wlan0 PHYSOUT=eth0 MAC=60:a4:4c:3d:66:79:00:ff:08:16:85:05:08:00:45:00:00:3c:34:31:00:00:80:01:6c:47 SRC=192.168.0.250 DST=192.168.23.254 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=13361 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1104



Maybe you can modify this for your needs for allowing traffic though the bridge.
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Wed Nov 01, 2017 7:43 pm    Post subject: Reply with quote

Gents,

I know it's weird but after a kernel upgrade and a reboot i can acces the internet for all wifi connected devices even without any iptables specific forwarding rules. Below the curently working configuration.

Thank for the effort!

If i can post anything to clearify let me know.


Code:

Chain INPUT (policy ACCEPT 100K packets, 68M bytes)
 pkts bytes target     prot opt in     out     source               destination         
89927 5774K f2b-SSH    tcp  --  any    any     anywhere             anywhere             tcp dpt:**

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5845 2473K DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere           
77303  148M DOCKER     all  --  any    docker0  anywhere             anywhere           
77303  148M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
46946 2569K ACCEPT     all  --  docker0 !docker0  anywhere             anywhere           
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT 95915 packets, 78M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 5845 2473K ACCEPT     all  --  any    any     anywhere             anywhere           
    0     0            all  --  any    any     anywhere             anywhere           
    0     0            all  --  any    any     anywhere             anywhere           
4480K 3413M RETURN     all  --  any    any     anywhere             anywhere           

Chain f2b-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
89927 5774K RETURN     all  --  any    any     anywhere             anywhere
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Thu Nov 02, 2017 1:42 am    Post subject: Reply with quote

For both the old and new kernel, please post the output of grep -Hn BRIDGE_NETFILTER /path/to/kernel/.config.
Back to top
View user's profile Send private message
paulusbrand
Tux's lil' helper
Tux's lil' helper


Joined: 20 May 2009
Posts: 111

PostPosted: Thu Nov 02, 2017 8:41 pm    Post subject: Reply with quote

Unfortunately i cannot accces my old .config any more. But when updating a kernel i do something like:

Code:

eselect new kernel
cd /usr/src/linux
zcat /proc/config.gz > .config
make menuconfig
make && make modules_install


I can't remember adding or removing any options the last time. I don't think anything was changed.

Current kernel:

Code:

paul@server ~ $ grep -Hn BRIDGE_NETFILTER /usr/src/linux/.config
/usr/src/linux/.config:861:CONFIG_BRIDGE_NETFILTER=y
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum