LinuxMCE Forums

In lmce 1204 and 1404, bridging appears to have changed within the linux kernel.   In 1004 i had bridged eth1 (internal NIC) with wlan0 (AP) following  the instructions here:http://wiki.linuxmce.org/index.php/Access_Point (http://wiki.linuxmce.org/index.php/Access_Point)
After changing 'eth1' in the firewall to 'br0' (the bridge interface), verything worked without a hitch.

In 1204 and 1404, when the bridge is set up the same, the MDs cannot access the nfs storage drives, but my wifi devices work fine. 

Is there a better route to take other than bridging?     Is there something else I need to do to the firewall?   

Some internet sources suggest installing ebtables and set up some rules there and add other rules to iptables.   I dont quite grasp firewalls  and am stuck.

Any suggestions will be greatly appreciated.

Dennis

Hello Dennis,

it isn't yet supported to bridge but to  help you further to test this.
I need some information from you.
- /etc/network/interfaces
- /etc/default/isc-dhcp-server
- iptables -vnL

Thanks Alblasco,

Here is my /etc/network/interfaces file:
# Activating interfaces
auto eth0 br0 lo

#####
# Loopback interface
#####
iface lo inet loopback

#####
# IPv4 network interfaces
#####

# --- External NIC ---
iface eth0 inet dhcp
pre-up sysctl -q -e -w  net.ipv6.conf.eth0.disable_ipv6=1
up /sbin/ifconfig eth0 up
down /sbin/ifconfig eth0 down

# --- Internal NIC ---
iface eth1 inet manual
pre-up sysctl -q -e -w net.ipv6.conf.eth1.disable_ipv6=1
up /sbin/ifconfig eth1 up
down /sbin/ifconfig eth1 down
#####

# --- Wireless NIC ---
iface wlan0 inet manual

# --- Bridge ---
iface br0 inet static
address 192.168.80.1
network 192.168.80.0
netmask 255.255.255.0
broadcast 192.168.80.255
gateway 192.168.1.254
pre-up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
bridge_ports eth1 wlan0
dns-nameservers 192.168.1.254 8.8.8.8
dns-search LinuxMCE.local
down /sbin/ifconfig br0 down


---

Here is /etc/default/isc-dhcp-server:
INTERFACES="br0"

---

and here is the output of iptables -vnL

Chain INPUT (policy DROP 3 packets, 116 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x11/0x01
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1
    2    92 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
  492 57564 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
    6  1616 ACCEPT     udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Allow_DHCP */
    2   120 ACCEPT     tcp  --  br0    *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     lo      0.0.0.0/0            0.0.0.0/0            /* Allow_Loopback */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow_Established */
    4  2563 ACCEPT     tcp  --  br0    *       192.168.80.0/24      0.0.0.0/0            /* Allow_Local_Network */

Chain OUTPUT (policy ACCEPT 317 packets, 45260 bytes)
pkts bytes target     prot opt in     out     source               destination         
       




Let me know if you need anything else.

Dennis

Hello Dennis,

Iptables is setup as the lmce-firewall write the iptables rules on the background.
Bridging is so far the easyest way to do this, else you need to create forward rules and change a lot of configuration files,
i'm not shure of everything will get to work that way.

there seems to be a problem with the nfs config i'm not shure where this problem is.
I check here to be shure i'm  not having this issue.
Your configuration so far seems right.

thank you sir!   

I'll keep a lookout for a resolution to the nfs issue.



Dennis

Alblasco,

my recent reinstall of 12.04 seems to work fine with the bridge setup.

Just after install, I ran the sql command
UPDATE Device_DeviceData SET IK_DeviceData="eth0,dhcp|br0,192.168.80.1,255.255.255.0" WHERE FK_DeviceData=32;

after my bridge was set up, then did an iptables -F followed by '/usr/pluto/bin/Network_Firewall.sh'.

I may not have needed to do all of that, but it works!


Dennis

Hello Dennis,

Nice that it works now. :)
I'm bulding this to set it up from the GUI but a lot of work to do before it is that way. :P

cheers Alblasco1702.

Alblasco we really need a working firewall before any options or features are added.  Thanks.  I'll be fixing firewall bugs starting this weekend if it is not working at that point.  thanks.

J.

I value your efforts.

I was not aware the firewall was not completely up to snuff.

Yes, it would be awesome to be able to set up the bridging in website admin, but I have my config files saved on a storage drive.


Another note on the firewall.... I havent been able to get my work laptop to VPN into my work domain.   Are the ports currently blocked?  I think there are several that are involved.

Thanks

Dennis