Link to home
Start Free TrialLog in
Avatar of FireBall
FireBall

asked on

Cent os 7 Bridge interface iptables rules

We have a cent os server which has bridged p3p1 and p3p2 interfaces with name br0
yesterday our syn proxy rules were working today they have stopped strangely

appliled rules as given below but in an combination we could not let it hit to the firewall on bridged traffic.


sysctl -w net/ipv4/tcp_syncookies=1
sysctl -w net/ipv4/tcp_timestamps=1
sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
echo 2500000 > /sys/module/nf_conntrack/parameters/hashsize
sysctl -w net.ipv4.ip_forward=1
sysctl -w net/netfilter/nf_conntrack_max=2000000
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -p

Open in new window



[root@244 ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.a0369f557ca8       yes             p3p1
                                                        p3p2
[root@244 ~]# iptables -vL
Chain INPUT (policy ACCEPT 970 packets, 57781 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SYNPROXY   tcp  --  br0    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p2 tcp state INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
    0     0 DROP       all  --  br0    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p2 state INVALID
    0     0 SYNPROXY   tcp  --  br0    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p1 tcp state INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
    0     0 DROP       all  --  br0    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p1 state INVALID

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SYNPROXY   tcp  --  any    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p1 tcp state INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
    0     0 DROP       all  --  any    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p1 state INVALID
    0     0 SYNPROXY   tcp  --  br0    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p2 tcp state INVALID,UNTRACKED SYNPROXY sack-perm timestamp wscale 7 mss 1460
    0     0 DROP       all  --  br0    any     anywhere             anywhere             PHYSDEV match --physdev-in p3p2 state INVALID

Chain OUTPUT (policy ACCEPT 764 packets, 50748 bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@244 ~]#

Open in new window

Avatar of Duncan Roe
Duncan Roe
Flag of Australia image
Please run this:

{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; } 2>&1|tee iptables.txt

and post iptables.txt
Avatar of FireBall
FireBall

ASKER

I realize that p1p1 interface not forwarding the traffic. Because when i redirect the traffic to the em1 interface it works.
And also p1p1 interface only answer the 37.123.100.97 's ping requests no other ping request was not accepted by it

[root@249 network-scripts]# tcpdump -i p1p1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p1p1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:18:19.118981 IP 26.156.9.185.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 14, seq 31499, length 40
13:18:19.268464 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 603, length 64
13:18:19.268484 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 603, length 64
13:18:20.269454 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 604, length 64
13:18:20.269478 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 604, length 64
13:18:21.270517 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 605, length 64
13:18:21.270539 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 605, length 64
13:18:21.775278 IP 78.186.179.127.static.ttnet.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 1, seq 2671, length 40
13:18:22.271453 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 606, length 64
13:18:22.271476 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 606, length 64
13:18:23.272469 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 607, length 64
13:18:23.272491 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 607, length 64
13:18:24.097221 IP 26.156.9.185.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 14, seq 31500, length 40
13:18:24.273466 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 608, length 64
13:18:24.273488 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 608, length 64
13:18:25.274353 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 609, length 64
13:18:25.274373 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 609, length 64
13:18:26.275483 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 610, length 64
13:18:26.275505 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 610, length 64
13:18:26.775694 IP 78.186.179.127.static.ttnet.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 1, seq 2672, length 40
13:18:27.276419 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 611, length 64
13:18:27.276440 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 611, length 64
13:18:28.277359 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 612, length 64
13:18:28.277381 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 612, length 64
13:18:29.114836 IP 26.156.9.185.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 14, seq 31501, length 40
13:18:29.278410 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 613, length 64
13:18:29.278432 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 613, length 64
13:18:30.279374 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 614, length 64
13:18:30.279397 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 614, length 64
13:18:31.280402 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 615, length 64
13:18:31.280423 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 615, length 64
13:18:31.777473 IP 78.186.179.127.static.ttnet.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 1, seq 2673, length 40
13:18:32.281568 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 616, length 64
13:18:32.281590 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 616, length 64
13:18:33.283300 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 617, length 64
13:18:33.283321 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 617, length 64
13:18:34.109379 IP 26.156.9.185.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 14, seq 31502, length 40
13:18:34.284346 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 618, length 64
13:18:34.284368 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 618, length 64
13:18:35.285438 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 619, length 64
13:18:35.285456 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 619, length 64
13:18:36.287278 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 620, length 64
13:18:36.287299 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 620, length 64
13:18:36.775740 IP 78.186.179.127.static.ttnet.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 1, seq 2674, length 40
13:18:37.288610 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 621, length 64
13:18:37.288632 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 621, length 64
13:18:38.289272 IP 97.100.123.37.salay.com.tr > 98.100.123.37.salay.com.tr: ICMP echo request, id 33605, seq 622, length 64
13:18:38.289293 IP 98.100.123.37.salay.com.tr > 97.100.123.37.salay.com.tr: ICMP echo reply, id 33605, seq 622, length 64
^C
48 packets captured
48 packets received by filter
0 packets dropped by kernel
[root@249 network-scripts]#
[root@249 network-scripts]#
[root@249 network-scripts]# ifconfig
em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 185.9.159.249  netmask 255.255.255.0  broadcast 185.9.159.255
        inet6 fe80::d6ae:52ff:fe73:47d0  prefixlen 64  scopeid 0x20<link>
        ether d4:ae:52:73:47:d0  txqueuelen 1000  (Ethernet)
        RX packets 90238  bytes 7317534 (6.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3254  bytes 677158 (661.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

em2: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether d4:ae:52:73:47:d1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 1  bytes 276 (276.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1  bytes 276 (276.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p1p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 37.123.100.98  netmask 255.255.255.248  broadcast 37.123.100.103
        inet6 fe80::a236:9fff:fe55:7ca8  prefixlen 64  scopeid 0x20<link>
        ether a0:36:9f:55:7c:a8  txqueuelen 1000  (Ethernet)
        RX packets 2275  bytes 198029 (193.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 396  bytes 37624 (36.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p1p2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.255.255.2  netmask 255.255.255.248  broadcast 10.255.255.7
        inet6 fe80::a236:9fff:fe55:7caa  prefixlen 64  scopeid 0x20<link>
        ether a0:36:9f:55:7c:aa  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 864 (864.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial