problems with Token Ring interfaces

Andreas Baetz andreas.baetz@herma.de
Wed, 17 Oct 2001 10:07:38 +0200


It seems that the state in netfilter doesn't work correct with
token ring interfaces. I have a router with one tr and one eth
interface. It should forward ftp connections between an FTP Client
behind the eth interface and an FTP Server behind the tr interface.

The iptables rules are as follows (Lines may be wrapped):
------------------------------------------------------------------
iptables -t filter -A FORWARD -j LOG --log-prefix -------- FWD:
iptables -t filter -A FORWARD -i eth0 -o tr0 -m state -p tcp -s <FTP Client> --sport 1: -d <FTP Servert> --dport 21 --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i tr0 -o eth0 -m state -p tcp -s <FTP Servert> --sport 21 -d <FTP Client> --dport 1: --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i tr0 -o eth0 -m state -p tcp -s <FTP Servert> --sport 20 -d <FTP Client> --dport 1: --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -o tr0 -m state -p tcp -s <FTP Client> --sport 1: -d <FTP Servert> --dport 20 --state ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -j LOG --log-prefix Forward DROP:
------------------------------------------------------------------

On FTP Client:
% ftp -A <FTP Server>
Login without problems, so the state "NEW ESTABLISHED" works ok from the eth side.
% ls -la

Log output of "ls -ls" command (Lines may be wrapped):
------------------------------------------------------------------
01) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=61 TOS=0x10 PREC=0x00 TTL=63 ID=22320 DF PROTO=TCP SPT=1024 DPT=21 WINDOW=6432 RES=0x00 ACK PSH URGP=0
02) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=70 TOS=0x00 PREC=0x00 TTL=126 ID=15166 DF PROTO=TCP SPT=21 DPT=1024 WINDOW=8634 RES=0x00 ACK PSH URGP=0
03) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=40 TOS=0x10 PREC=0x00 TTL=63 ID=22321 DF PROTO=TCP SPT=1024 DPT=21 WINDOW=6432 RES=0x00 ACK URGP=0
04) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=50 TOS=0x10 PREC=0x00 TTL=63 ID=22322 DF PROTO=TCP SPT=1024 DPT=21 WINDOW=6432 RES=0x00 ACK PSH URGP=0
05) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=105 TOS=0x00 PREC=0x00 TTL=126 ID=15422 DF PROTO=TCP SPT=21 DPT=1024 WINDOW=8624 RES=0x00 ACK PSH URGP=0
06) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=44 TOS=0x00 PREC=0x00 TTL=126 ID=15678 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8192 RES=0x00 SYN URGP=0
07) Oct 17 09:24:08 ROUTER klogd: Forward DROP: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=44 TOS=0x00 PREC=0x00 TTL=126 ID=15678 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8192 RES=0x00 SYN URGP=0
08) Oct 17 09:24:08 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=40 TOS=0x10 PREC=0x00 TTL=63 ID=22323 DF PROTO=TCP SPT=1024 DPT=21 WINDOW=6432 RES=0x00 ACK URGP=0
09) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=44 TOS=0x00 PREC=0x00 TTL=126 ID=21310 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8192 RES=0x00 SYN URGP=0
10) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=44 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=1026 DPT=20 WINDOW=5840 RES=0x00 ACK SYN URGP=0
12) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=21566 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8760 RES=0x00 ACK URGP=0
13) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=239 TOS=0x00 PREC=0x00 TTL=126 ID=21822 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8760 RES=0x00 ACK PSH URGP=0
14) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=22078 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8760 RES=0x00 ACK FIN URGP=0
15) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=115 TOS=0x00 PREC=0x00 TTL=126 ID=22334 DF PROTO=TCP SPT=21 DPT=1024 WINDOW=8624 RES=0x00 ACK PSH URGP=0
16) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=6377 DF PROTO=TCP SPT=1026 DPT=20 WINDOW=6432 RES=0x00 ACK URGP=0
17) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=40 TOS=0x10 PREC=0x00 TTL=63 ID=22324 DF PROTO=TCP SPT=1024 DPT=21 WINDOW=6432 RES=0x00 ACK URGP=0
18) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=eth0 OUT=tr0 SRC=<FTP Client> DST=<FTP Servert> LEN=40 TOS=0x08 PREC=0x00 TTL=63 ID=6378 DF PROTO=TCP SPT=1026 DPT=20 WINDOW=6432 RES=0x00 ACK FIN URGP=0
19) Oct 17 09:24:11 ROUTER klogd: -------- FWD: IN=tr0 OUT=eth0 SRC=<FTP Servert> DST=<FTP Client> LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=22590 DF PROTO=TCP SPT=20 DPT=1026 WINDOW=8760 RES=0x00 ACK URGP=0
------------------------------------------------------------------

Here the first connection attempt from the server is dropped, (Lines 06 and 07),
while the second one is let through (Line 09).

I tried with iptables 1.2.1a and 1.2.3 as well as with kernel 2.4.9 and 2.4.12.
Netfilter and network cards are compiled into the kernel, no modules used.


Andreas Baetz


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been scanned
for the presence of computer viruses.
**********************************************************************