If you add a switch, it can still mess up in some situations. The solution is to be really explicit about the IP addresses, and only do things like NAT and REJECTing on packets that you _know_ are destined for the other side.
On Tue, Jan 22, 2002 at 01:17:58PM -0600, Dave Hinkle wrote: > Yea, I use this. Make sure you have the netfilter patch installed. And > remember, your bridge sees ALL the packets, so for example, if you redirect > web requests as I do the linux box will redirect ALL requests, weather or > not they'd traverse the bridge. (I wish it didn't) So 2 machines talking > port 80 to each other on one side of the bridge would get an answer from the > target machine AND the bridge, which pretty much screws everything up. > Workaround: Use a switch on both sides of the bridge. (Kinda ironic huh?) > > > David > > -----Original Message----- > From: Rob McMillen [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 22, 2002 9:38 AM > To: Bridge > Subject: [Bridge] I wonder > > Would it be possible to have the bridge route something to its loopback > interface in order to provide a service that is bound to the localhost? If > I use DNAT to route a packet to the loopback interface, would this be > possible? I've tried it without success, but I may have the rules wrong. > > $IPT -t nat -A PREROUTING -s $ME -d $SOME_IP -j DNAT --to-destination > 127.0.0.1 > $IPT -A INPUT -i lo -s $ME -j ACCEPT > $IPT -A OUTPUT -o lo -d $ME -j ACCEPT > > I don't have a post routing rule because as I understand it, once the > PREROUTING rule hits, the packets will not traverse the nat table again. > > I've added a static arp entry to my client to ensure that the packets with > $SOME_IP are directed at the bridging firewall. > > Rob > _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
