I have a GRE device on my firewall, which is acting as an OpenNHRP core.
If two OpenNHRP nodes are trying to talk to each other and unable to
establish a direct connection they send their traffic through the core.
This means that from iptables standpoint the traffic is coming from gre1
and going to gre1.
I use awall to generate the iptables rules on this FW. It all works fine
so far except for this. Traffic from one node to another that was passing
through my core was getting blocked with this in the syslog:
Sep 25 17:26:39 jrt-vm-fw01 kern.warn kernel: [918524.175624] IN=gre1
OUT=gre1 MAC= SRC=172.23.0.3 DST=172.23.0.2 LEN=84 TOS=0x00 PREC=0x00
TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=36686 SEQ=16
So, I tried adding this to my awall config:
The problem is that awall didn't create a rule in the forward chain for -i
gre1 -o gre1. So, traffic continued getting blocked. When I added the
following rule manually in /etc/iptables/rules-save (just before the
forward chain's LOGDROP) it worked fine:
-A FORWARD -i gre1 -o gre1 -j ACCEPT
Is this a bug in awall that it assumes you don't need a forward chain rule
if the input and output devices are the same?
Received on Tue Sep 25 2012 - 12:34:53 UTC