Re: iptables with a linux bridge

Wed, 28 Nov 2001 09:12:46 -0800 

On Wed, 28 Nov 2001, François Bayart wrote:

> I've installed a linux bridge with 2.4.14 kernel and the bridge-utils packages

I am VERY interested, since I administer a transparent firewall myself. My
firewall uses proxy arp (I implemented it in the old 2.2.x kernel +
ipchains days), but I would like to convert it into a bridge much as you
did.

> iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t mangle -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t mangle -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A POSTROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A PREROUTING -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -t nat -A OUTPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -N br0
> iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP
> iptables -A br0 -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> iptables -A FORWARD -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
> iptables -A INPUT -d 62.4.8.73 -s 0/0 -p ICMP -j DROP -i br0
                                                         ^^^^^

If I remember correctly the documents I read, packets should appear in the
chains with the original interface names, i.e. the above rule will not
match any packet, you should try eth0 or eth1 or both, depending on your
detailed setup. However, how about setting up an extremely verbose LOG
rule which matches anything, so that you can actually see what packets are
flowing through? Then you would be able to concoct matching rules more
easily.

I hope this helps, bye
Giacomo

-- 
_________________________________________________________________

Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to