I need help with server setup for networking

[MissingGhost]

Hi to all the people that are nice enough to try to help me.
My question is quite complex, I will try to make it as simple as possible.
I have one server that runs Debian GNU/linux.
It is the center of a medium network, the Internet is plugged into it.
eth0 is the Internet
eth1 to eth 5 are LAN connections.
eth6 is an IP-based SAN.


eth1 to 5 are linked together using a bridge called bluelan
eth0 and bluelan have packets routed between them, with NAT.
eth6 has totally no routing to other interfaces, so all the packets that get received by it are destinated to the server.

The problem is that the computers that are plugged into different ports of bluelan can't see each other. Like, the computers that are plugged into eth3 can't access the computers into eth4 for example. In my understanding of a bridge (it's like a network switch), it should work.

For references, here is a few startup scripts that I run.

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# iptables startup scripts
pre-up /etc/network/if-pre-up.d/iptables-start.sh
post-down /etc/network/if-post-down.d/iptables-stop.sh

# The Internet network interface
auto eth0
iface eth0 inet dhcp

# The bluelan bridge

auto bluelan
iface bluelan inet static
address 192.168.0.1
netmask 255.255.255.0
broadcast 192.168.0.255
network 192.168.0.0
bridge_ports eth2 eth3 eth1 eth4 eth5
bridge_stp off
bridge_fd 3
bridge_maxwait 5

# The redlan downlink

auto eth6
iface eth6 inet static
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255
network 192.168.2.0
mtu 1500

#EOF

/etc/network/if-pre-up.d/iptables-start.sh

#!/bin/sh
# "iptables-start.sh"
#
########----------------------------------#############
# rules reset
iptables -F
iptables -t nat -F
iptables -t mangle -F
#
# policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
#
#########-----------INPUT RULES------------#############
#drop all inputs on the lan from the hosts that are also on the san
iptables -A INPUT -i bluelan -p tcp -m multiport --dport 137,138,139 -s 192.168.0.20 -j DROP
iptables -A INPUT -i bluelan -p udp -m multiport --dport 137,138,139 -s 192.168.0.20 -j DROP
iptables -A INPUT -i bluelan -p tcp -m multiport --dport 137,138,139 -s 192.168.0.30 -j DROP
iptables -A INPUT -i bluelan -p udp -m multiport --dport 137,138,139 -s 192.168.0.30 -j DROP
#accept all other inputs from lan
iptables -A INPUT -i bluelan -j ACCEPT
#---------------------------------------------------------------------------
#accept samba (netbios) related inputs from the san
iptables -A INPUT -i eth6 -p tcp -m multiport --dport 137,138,139 -j ACCEPT
iptables -A INPUT -i eth6 -p udp -m multiport --dport 137,138,139 -j ACCEPT
#---------------------------------------------------------------------------
#accept all inputs from loopback
iptables -A INPUT -i lo -j ACCEPT
#---------------------------------------------------------------------------
#accept all related and established states as input from the Internet
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#ICMP stuff
iptables -A INPUT -p icmp -m state --state RELATED -j ACCEPT
#accept all inputs to servers that must be reachable from the Internet
#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#SVN
iptables -A INPUT -p tcp --dport 3690 -j ACCEPT
#log all invalid states from the Internet
iptables -A INPUT -i eth0 -m state --state INVALID -j LOG
#
########-----------PREROUTING RULES--------###########
#port forwards
iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to-destination 192.168.0.2:81
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.20:3389
iptables -t nat -A PREROUTING -p tcp --dport 3955 -j DNAT --to-destination 192.168.0.20:3955
iptables -t nat -A PREROUTING -p udp --dport 3955 -j DNAT --to-destination 192.168.0.20:3955
#########----------FORWARD RULES-----------############
#accept all the traffic from the lan to the internet
iptables -A FORWARD -i bluelan -o eth0 -j ACCEPT

#accept all related and established states as forward from the Internet
iptables -A FORWARD -i eth0 -o bluelan -m state --state RELATED,ESTABLISHED -j ACCEPT
#accept all web traffic to 192.168.0.2 server
iptables -A FORWARD -p tcp --dport 81 -j ACCEPT
#accept all rdc traffic to 192.168.0.20
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT
iptables -A FORWARD -p udp --dport 3389 -j ACCEPT
#accept traffic for bittorrent to 192.168.0.20
iptables -A FORWARD -p tcp --dport 3955 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3955 -j ACCEPT
#log all invalid states from the Internet
iptables -A FORWARD -i eth0 -m state --state INVALID -j LOG
#########----------POSTROUTING RULES-------############
#nat for the lan on the Internet
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#EOF

That was quite a long post, I wish somebody will read it. Previously the server was all openBSD based. Bridges and firewalls on this OS are a lot more simply and I got them to work within one day. I need linux because openBSD no longer fits the job because it is not compatible with some new pieces of hardware I needed and some software. Samba was full of memory leaks, there is no LVM, the only file system is FFS, and for a lot of other reasons I really need to switch to linux. On openBSD everything could go over the bridge with no problems. Thanks for your help

[iwanabeguru]

Hi

Please forgive me, my english is very wrong.

I am not a networking guru but i have minimal experience in iptables ( i used it one time) .
I can't see in your iptables configuration the following line

echo 1 > /proc/sys/net/ipv4/ip_forward

that line permit the forwarding in debian linux.
i hope it will help something.

[engineuity]

Its weird that you cant connect to other computers on the bluelan bridge..if its like a switch, is it one of the smart switches that you can log into and configure?