Re: iptables with a linux bridge

To: debian-security@lists.debian.org
Subject: Re: iptables with a linux bridge
From: "Jeremy T. Bouse" <jbouse@debian.org>
Date: Wed, 28 Nov 2001 09:07:53 -0800
Message-id: <[🔎] 20011128090753.B9466@UnderGrid.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 0af301c1782c$90f82440$6402a8c0@vaio>
References: <[🔎] 0af301c1782c$90f82440$6402a8c0@vaio>

	If I'm not mistaken I believe the bridging code runs before
the firewall code so the bridging by-passes the firewall filters 
completely... Please if I'm incorrect in this would someone care to
correct me but that is what information I've found through my research
on the subject...

	Jeremy

On Wed, Nov 28, 2001 at 05:48:52PM +0100, Fran?ois Bayart wrote:
> 
> Hi ,
> 
> I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages
> 
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth1
> ifconfig eth0 0.0.0.0
> ifconfig eth1 0.0.0.0
> ifconfig br0 62.4.8.2 netmask 255.255.255.0 broadcast 62.4.8.255
> 
> That correctly works but now I would like create some filtering rules and I try with iptables and it doesn't work
> ex, just drop the icmp :
> 
> iptables -F INPUT
> iptables -P INPUT ACCEPT
> iptables -F OUTPUT
> iptables -P OUTPUT ACCEPT
> iptables -F FORWARD
> iptables -P FORWARD ACCEPT
> iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t mangle -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t mangle -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A POSTROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -N br0
> iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> 
> and I can ping without problem, I have try all rules because I don't understand the problem, normally I don't have NAT n this network.
> 
> Si if someone can give me a solution or informations
> 
> thx
> 
> Francois
> 
> 
> -----------------------
> Fran?ois Bayart
> francois@avence.com
> +33 1 49 27 98 30
> +33 6 87 84 18 82

Reply to:

Follow-Ups:
- Re: iptables with a linux bridge
  - From: martin f krafft <madduck@madduck.net>
- Re: iptables with a linux bridge
  - From: Philipp Schulte <pschulte@uni-duisburg.de>

References:
- iptables with a linux bridge
  - From: François Bayart <francois@avenceprod.com>

Prev by Date: iptables with a linux bridge
Next by Date: Re: iptables with a linux bridge
Previous by thread: iptables with a linux bridge
Next by thread: Re: iptables with a linux bridge
Index(es):
- Date
- Thread