Hi Jeremy,
you can easily configure the iptables with rules specifying input & output sources eg.
iptables -A FORWARD -i eth0 -o eth1 (or vice versa)
obviously -i for input & -o for output
Lewis
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 23, 2001 8:02 PM
To: [EMAIL PROTECTED]
Subject: Bridge digest, Vol 1 #206 - 5 msgs
Send Bridge mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bridge digest..."
Today's Topics:
1. IPTables and ethernet devices..... (Jeremy Rumpf)
2. bug/help needed ... (Matthew Hall)
3. About the redirection. (Near)
4. The redirection (??)
5. The redirection problem (Near)
--__--__--
Message: 1
From: Jeremy Rumpf <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Organization: The Ohio State University
To: [EMAIL PROTECTED]
Date: Wed, 22 Aug 2001 11:04:16 -0400
Subject: [Bridge] IPTables and ethernet devices.....
Hello all,
I'm going to try and implement a type of bridge that will sit between our
computer labs and the rest of the campus network. In order for the users to
be able to get passage through the bridge (thus use the network beyond the
lab) they'll have to authenticate with the bridge. I currently have a type of
"bridge manager" software in the works that will track the iptable rules and
features kerberos authentication. My main delema is that the bridge manager
needs to know which side the lab lan is on and which side the campus network
is on.
I can do this by configuring it with the ipaddress range of each, simple
enough. Rules per authenticated host may appear like this:
iptables -t fiilter -I FORWARD -s 128.146.105.13/32 -d ! 128.146.105.0/24 -j
ALLOW
iptables -t fiilter -I FORWARD -d 128.146.105.13/32 -s ! 128.146.105.0/24 -j
ALLOW
My main question is, can I do something like this:
iptables -t filter -I FOWARD -s 128.146.105.13/32 -i eth0 -o eth1 -j ALLOW
iptables -t filter -I FOWARD -d 128.146.105.13/32 -i eth1 -o eth0 -j ALLOW
Does the bridge identify which interface the packet arrives on and is
destined to leave on? If I could do this, then when the bridges are installed
I can simply tell them to make sure the lab lan is plugged into THIS
interface vs. having to actually configure the ip address range of the lab
lan into the bridge.
FYI, The ip address 128.146.105.13 is passed to the bridge manager when
authentication takes place. I do this by transparent proxying any web request
of any non-authenticated user back to an apache server running on the local
bridge. The apache/PHP interacts to the bridge manager over a local unix
domain socket. Should be pretty cool, if all the peices work :).
Thanks,
Jeremy
