Re: iptables with a linux bridge

To: François Bayart <francois@famipow.com>
Cc: debian-security@lists.debian.org
Subject: Re: iptables with a linux bridge
From: Giacomo Mulas <gmulas@ca.astro.it>
Date: Wed, 28 Nov 2001 18:11:40 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.42.0111281805180.2680-100000@capitanata.ca.astro.it>
Reply-to: Giacomo Mulas <gmulas@ca.astro.it>
In-reply-to: <[🔎] 0afe01c1782c$bbbb4130$6402a8c0@vaio>

On Wed, 28 Nov 2001, François Bayart wrote:

> I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages

I am VERY interested, since I administer a transparent firewall myself. My
firewall uses proxy arp (I implemented it in the old 2.2.x kernel +
ipchains days), but I would like to convert it into a bridge much as you
did.

> iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t mangle -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t mangle -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A POSTROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -N br0
> iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
                                                         ^^^^^

If I remember correctly the documents I read, packets should appear in the
chains with the original interface names, i.e. the above rule will not
match any packet, you should try eth0 or eth1 or both, depending on your
detailed setup. However, how about setting up an extremely verbose LOG
rule which matches anything, so that you can actually see what packets are
flowing through? Then you would be able to concoct matching rules more
easily.

I hope this helps, bye
Giacomo

-- 
_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________

Reply to:

Follow-Ups:
- Re: iptables with a linux bridge
  - From: François Bayart <francois@famipow.com>
- Re: iptables with a linux bridge
  - From: martin f krafft <madduck@madduck.net>

References:
- iptables with a linux bridge
  - From: François Bayart <francois@famipow.com>

Prev by Date: Re: iptables with a linux bridge
Next by Date: Re: iptables with a linux bridge
Previous by thread: iptables with a linux bridge
Next by thread: Re: iptables with a linux bridge
Index(es):
- Date
- Thread