Package: kernel-image-2.4.27-3-k7
Version: 2.4
Severity: |grave
|I am using my own iptables script where I execute the following
iptables commands on startup:
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:20:ED:39:91:E7 -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:12:3F:D6:89:8A -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:13:D3:FD:20:FA -p udp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p tcp --dport
3128:3130 -j ACCEPT
iptables -A INPUT -m mac --mac-source 00:14:38:00:AB:A6 -p udp --dport
3128:3130 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:20:ED:39:91:E7 -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:12:3F:D6:89:8A -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:13:D3:FD:20:FA -j ACCEPT
iptables -A FORWARD -m mac --mac-source 00:14:38:00:AB:A6 -j ACCEPT
When the server is up, the mac rules are correct like this:
debian:~# iptables
-L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:12:3F:D6:89:8A udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:13:D3:FD:20:FA tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:13:D3:FD:20:FA udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:14:38:00:AB:A6 udp dpts:3128:icpv2
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:13:D3:FD:20:FA
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
But after some up time the mac rules are morphing like this:
debian:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere MAC
00:20:ED:39:91:E7 tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:20:ED:39:91:E7 udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF tcp dpts:3128:icpv2
ACCEPT udp -- anywhere anywhere MAC
00:05:5D:F5:E8:FF udp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:05:5D:F6:10:BD tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:12:3F:D6:89:8A tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
ACCEPT tcp -- anywhere anywhere MAC
00:14:38:00:AB:A6 tcp dpts:3128:icpv2
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC
00:20:ED:39:91:E7
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F5:E8:FF
ACCEPT all -- anywhere anywhere MAC
00:05:5D:F6:10:BD
ACCEPT all -- anywhere anywhere MAC
00:12:3F:D6:89:8A
ACCEPT all -- anywhere anywhere MAC
00:14:38:00:AB:A6
Now is the computer with the mac address 00:13:D3:FD:20:FA unable to
access the squid proxy server on port 3128 because the mac adress is
completly missing.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
