On Fri, 31 Aug 2001, Bart De Schuymer wrote:
>
> Could you make 3 logging rules: in front and after the rule for all packets.
> in front the rule with the same rule except the target = LOG?
> Are you sure it's ip traffic that your bridge forwards?
>
At this point I've removed all my rules. IN, OUT, and FORWARD are empty
but the policy is set to DROP for all three chains. But ping and telnet
sessions are getting through
>
> bridged packets are filtered at the FORWARD chain.
> packets for the local bridge machine are filtered in INPUT, packets
> originating from the machine are filtered in OUTPUT.
>
That's what I thought and how I wrote (actually stole my rules from
Oskar Andreasson's iptables tutorial, with modifications.
> >
> > In the context of iptables with bridging what's the difference between
> > PREROUTING and POSTROUTING when we don't do any routing?
>
> if you would filter in PREROUTING (using the nat table I think you can
> actually do that with iptables), you would be filtering on all packets that
> come into the bridge, so both the packets that will go to the FORWARD chain
> as those that will go to the INPUT chain.
> Filtering in POSTROUTING will filter all packets that will leave the box, so
> those coming from FORWARD and those coming from OUTPUT.
>
That seems very useful. The only place I've seen PREROUTING and
POSTROUTING rules used was in combination with NAT. If we can use
these chains independently of NAT to check for spoofing that would be very
good.
> > I was going to extract a fresh copy of the source and reapply the
> patches. > But that's probably "barking up the wrong tree".
>
> If you didn't start from a fresh kernel source to apply these patches,
> trying so now wouldn't be such a bad idea, I think...
Hmm. Things are strange enough I'm going to try this first!!
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
