Your message dated Sat, 19 Aug 2006 16:13:04 -0400
with message-id <[EMAIL PROTECTED]>
and subject line iptables bts cleanup
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: kernel-image-2.4.27-3-k7
Version: 2.4
Severity: grave
I am using my own iptables script where I execute the following iptables
commands on startup:
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp --dport
3128:3130 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j ACCEPT
When the server is up, the mac rules are correct like this:
debian:~# iptables
-L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:12:3F:D6:89:8A udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:13:D3:FD:20:FA tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:13:D3:FD:20:FA udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:14:38:00:AB:A6 udp dpts:3128:icpv2
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:13:D3:FD:20:FA
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
But after some up time the mac rules are morphing like this:
debian:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F5:E8:FF
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F6:10:BD
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Now is the computer with the mac address 00:13:D3:FD:20:FA unable to
access the squid proxy server on port 3128 because the mac adress is
completly missing.
--- End Message ---
--- Begin Message ---
276043 iptables: at least warn of leftover junk
317379 iptables: please provide initscript for reloading firewall rules at boot
360448 iptables: eats MAC addresses
Cleaning up stuff that will not be fixed or is just unfathomable. Sorry.
--- End Message ---
