Jacked network bridges

Levi Pearson levipearson at gmail.com
Mon Jan 30 13:17:53 MST 2012

On Mon, Jan 30, 2012 at 7:03 AM, Levi Pearson <levipearson at gmail.com> wrote:
> I am not a general expert on Linux networking, but I know enough about nic
> drivers to strongly doubt that the driver or card are to blame for this.
> I suggest a deeper exploration of the options to the iptables command,
> because "iptables -L" barely scratches the surface of what it can tell you.
> It is actually my go-to tool for diagnosing any network problem regarding
> the forwarding of packets in Linux.
> I would give more details, but I don't know the options off the top of my
> head and I am typing this on my phone. Good luck!

I don't know if you've looked at this any further yet or not, but I am
now on a real computer with access to man pages, so I can give some
more details.

First, the iptables dump you gave is missing a lot of information that
is actually contained in the table you are looking at.  If you give
the -v and -x arguments, you will get much more detailed and specific
information regarding which interface the rule belongs to as well as
counters that will tell you how much traffic that rule has applied to.
 Watching these counters will tell you where, if it's happening due to
a rule, the packets you're sending are getting dropped.

Second, this is only the output from one table.  There are other
tables as well that you should look like, especially the nat table.
Use '-t nat' to see the nat table, which is applied first for any
packet that creates a new connection.  There may be some relevant
rules there, though it's likely the filter table that's causing your

I know you shut off netfiltering for the bridge devices, but there are
plenty of other points where things could be getting blocked.  You'll
notice you have 3 REJECT rules in the FORWARD chain that apply from
anywhere to anywhere, but adding -v will show you the information
which differentiates them, which is the in/out interfaces that it will
apply to.  You'll also want to know which interfaces the ACCEPT rules
apply to.

Also, looking at ifconfig for packet stats on your interfaces while
you're trying to transfer across a broken path might give you an idea
of where things are broken, and you can do a tcpdump filtered on ICMP
traffic on each of the interfaces while pinging to verify where they
stop.  That shouldn't involve a whole lot of setup overhead.

More information about the PLUG mailing list