Your message dated Sun, 2 Apr 2006 14:30:21 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#360449: iptables damages mac rules with
kernel-image-2.4.27-3-k7
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: iptables
Version: 1.2.11
Severity: grave
I am using my own iptables script where I execute the following iptables
commands on startup:
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp --dport
3128:3130 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j ACCEPT
When the server is up, the mac rules are correct like this:
debian:~# iptables
-L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:12:3F:D6:89:8A udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:13:D3:FD:20:FA tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:13:D3:FD:20:FA udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:14:38:00:AB:A6 udp dpts:3128:icpv2
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:13:D3:FD:20:FA
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
But after some up time the mac rules are morphing like this:
debian:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F5:E8:FF
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F6:10:BD
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Now is the computer with the mac address 00:13:D3:FD:20:FA unable to
access the squid proxy server on port 3128 because the mac adress is
completly missing.
--- End Message ---
--- Begin Message ---
Duplicate of 360448.
On Sun, Apr 02, 2006 at 01:49:26PM +0200, Hansgeorg Schwibbe wrote:
> Package: iptables
> Version: 1.2.11
> Severity: grave
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
[EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
--- End Message ---
