Re: transparent bridge example needed

To: debian-firewall@lists.debian.org
Subject: Re: transparent bridge example needed
From: "Gregg A. Belli" <debian@gralbe.com>
Date: Thu, 17 Mar 2005 14:48:52 -0600
Message-id: <[🔎] 200503171448.52284.debian@gralbe.com>
In-reply-to: <[🔎] 20050317202704.GA16105@annapolislinux.org>
References: <[🔎] 20050317202704.GA16105@annapolislinux.org>

This isn't a great teaching example, but it works for me (more or less 
identical bridge setup as you have below)

------------ a little setup --------------

# FLUSH those tables
iptables -t nat -F
iptables -F

--------- some rules ---------------

# we take http and https traffic to and from just about anything
iptables -A FORWARD -p tcp --destination-port www -j ACCEPT
iptables -A FORWARD -p tcp --source-port www -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
iptables -A FORWARD -p tcp --source-port 443 -j ACCEPT
# we need to keep that email flowing
iptables -A FORWARD -p tcp --destination-port smtp -j ACCEPT
iptables -A FORWARD -p tcp --source-port smtp -j ACCEPT
# plus POP3!
iptables -A FORWARD -p tcp --destination-port pop-3 -j ACCEPT
iptables -A FORWARD -p tcp --source-port pop-3 -j ACCEPT
# dns is required to work
# FIXME : we have well defined DNS servers so requests from
# extrenal hosts should be permitted only to those.
iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT
iptables -A FORWARD -p udp --source-port 53 -j ACCEPT
iptables -A FORWARD -p tcp --destination-port 53 -j ACCEPT
iptables -A FORWARD -p tcp --source-port 53 -j ACCEPT

Basically, everything traverses the FORWARD chain

Since the bridge has no length, you don't know which direction a packet is 
traveling so you do something like this:

iptables -A FORWARD -m physdev -s www.wormspreader.com -p tcp --physdev-in 
eth1 -j DROP

Not a great example (not even tested and I currently don't have any rules of 
this nature so I hope -m physdev is correct). But, anyway, it's supposed to 
DROP an incoming tcp connection (assuming eth1 faces the internet) from 
www.wormspreader.com.

Hope that helps some. I'm sure others will give you better examples.

-Gregg

On Thursday 17 March 2005 02:27 pm, Theodore Knab wrote:
> Hi,
>
> Does anyone have some transparent bridge iptables rules that I could use as
> an example ?
>
> I have a Debian Sarge box running the 2.6.10 kernel that is acting as a
> transparent bridge.
>
> Currently, it is using EBTABLES. I want to rewrite my rules to use
> iptables.
>
> My bridge config looks like this:
>
>
> #!/bin/sh
> QWEST="eth1"
> INSIDE="eth2"
>
> /usr/sbin/brctl addbr br0
>
> /bin/echo "STP is only needed if there is more than one bridge"
> /bin/echo "turn off stp on br0"
> /usr/sbin/brctl stp br0 off
>
> /bin/echo "add $QWEST to virtual unit br0"
> /usr/sbin/brctl addif br0 $QWEST
>
> /bin/echo "add $INSIDE to virtual unit br0"
> /usr/sbin/brctl addif br0 $INSIDE
>
> /bin/echo "turning off and on reset bridge"
> /sbin/ifconfig br0 down
> /sbin/ifconfig br0 0.0.0.0 up
>
>
>
>
> --
> ------------------------------------------
> Ted Knab
> Chester, Maryland  21619 USA
> ------------------------------------------

Reply to:

References:
- transparent bridge example needed
  - From: Theodore Knab <tjk@annapolislinux.org>

Prev by Date: transparent bridge example needed
Next by Date: Re: transparent bridge example needed
Previous by thread: transparent bridge example needed
Next by thread: Re: transparent bridge example needed
Index(es):
- Date
- Thread