[lug] netfilter strangeness

Daniel Webb lists at danielwebb.us
Mon May 30 12:39:49 MDT 2005 

On Mon, May 30, 2005 at 10:21:33AM -0600, David Anselmi wrote:

> Daniel Webb wrote:
> >I've been learning how to do iptables filtering along with shaping using tc
> >on a Linksys WRT54G.  
> 
> That's cool, but why?  Might make an interesting LUG talk.

My DSL modem gets a lot of interference from stuff inside the house (mostly
dimmers), so I put the modem outside on the porch.  I have three computers
connected via wireless inside the house, so the easiest thing to do is connect
the AP/router directly to the modem on the porch.  I want traffic shaping for
when I start using VOIP, and a firewall is a necessity.  Eventually I'm also
going to be sharing the connection with neighbors on Speakeasy's wireless
sharing plan, so bandwidth management will be critical for that.  

I was surprised, but you can apparently implement every possible iptables
module as of 2.4.20 using OpenWRT on a machine with just 4MB of flash memory
(and still have 1MB left over).
I just wish it had the CLASSIFY target...

Also, I'd guess that using a WRT54G for the firewall machine instead of using
an old PC would save $50 a year or so on electricity.

> >root at webb:~# iptables -L -t mangle -v -n
> >Chain PREROUTING (policy ACCEPT 10590 packets, 9383K bytes)
> > pkts bytes target     prot opt in     out     source         destination
> >10281 9254K MARK       all  --  eth1   *       192.168.0.0/24 
> >192.168.0.0/24      MARK set 0x5
> >10280 9254K RETURN     all  --  eth1   *       192.168.0.0/24 
> >192.168.0.0/24
> >
> ><snip>
> >
> >Chain POSTROUTING (policy ACCEPT 309 packets, 40749 bytes)
> > pkts bytes target     prot opt in     out     source         destination
> >  117 10732 MARK       all  --  *      eth1    192.168.0.0/24 
> >  192.168.0.0/24      MARK set 0x5
> >  117 10732 RETURN     all  --  *      eth1    192.168.0.0/24 
> >  192.168.0.0/24
> >
> >This was after a reboot followed by a file transfer from one machine on the
> >lan to another.  Now, I'm no netfilter expert, but shouldn't the
> >POSTROUTING ACCEPT counter be as high as the PREROUTING ACCEPT counter?
> 
> No.  You're looking at packets coming in eth1 vs. going out eth1--why 
> should they be the same?  You see that the incoming packets are around 
> 900B on average while the outgoing packets are around 90B.  So that 
> looks like the file transfer is coming from a machine hooked to eth1 
> (big data packets coming in, small acks going out).  Naturally the data 
> packets go out the interface hooked to the receiving machine.

I should have mentioned that eth1 is the wireless device, and nothing is
connected to the ethernet LAN ports.  So for two machines on the LAN to
transfer a file, approximately the same should go in and out of eth1.  I
verified this with ifconfig, which shows that the eth1 interface Rx and Tx
bytes increased about 9M.

Also, looking at the "bytes" field of "Chain POSTROUTING", why is that
number specific to eth1?  Only my rules in the chain are specific to eth1.

> I wonder how the LAN ports are wired?  Does each show up as a different 
> interface?  Seems like they do so you must have some bridging going on. 
>  That seems to complicate the tables and chains that the packets traverse.
> 
> Be interesting to poke around inside one of these.

There is a bridge device between the ethernet LAN ports and the eth1
wireless device called br0.  It was causing me problems with traffic shaping,
because apparently you can't shape on a bridge device without kernel patches.  

I wonder if there is something weird about how bridge devices work that's
causing the above observation that in!=out?

I believe I read in the OpenWRT documents that you can also split all 4
ethernet LAN ports and route them separately, which is pretty impressive for a
$65 router.

More information about the LUG mailing list