Jacked network bridges

Gabriel Gunderson gabe at gundy.org
Sun Jan 29 20:56:54 MST 2012


On Sun, Jan 29, 2012 at 10:58 AM, Levi Pearson <levipearson at gmail.com> wrote:
> I'm not sure if this is the issue, but the last time I set up a vm with kvm
> and libvirt, I had to do a bunch of tweaking of iptables to get layer 2
> traffic forwarded correctly. Maybe whatever you did to set up DHCP for net
> C changed the iptables config for that interface.
>
> I only mention this because it bit me and you didn't mention anything about
> iptables in your description. Good luck tracking this down, and let us know
> how it turns out.

Thanks for the feedback. It looks like standard RHEL firewall rules (see below).

The key here (as if I knew), is the bridge. It works on half the
connected hosts. The other thing is that it's jacked at layer 2 --or
so I think. I'm thinking the driver for that card is wacky. Perhaps
I'll move the whole bridge over to a different physical interface
tomorrow.

I love the feedback.  It's causing me to think more carefully about
the problem. I welcome anything else anyone might want to share. I'll
have a lot to review when I get back into work tomorrow :)


# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere
reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere
reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Best,
Gabe


More information about the PLUG mailing list