The setup: PII with two NICS, Debian Potato r4 with Adrian Bunk's packages for the 2.4 kernel. The bridge host itself has an IP address for remote management purposes. Everything works fine before packet filtering, as far as I can tell. Nifty stuff!
The problem: I want to filter packets for each of the following four cases such that the rules for each case are entirely independent of those for the other cases: Case 1: packets entering external interface, destined for host on inside Case 2: packets entering internal interface, destined for host on outside Case 3: packets entering external interface, destined for bridging host Case 4: packets entering internal interface, destined for bridging host I know I can handle cases 1 & 2 with the '-i' and '-o' flags on the FORWARD chain--the standard bridging firewall thing. But how do I filter packets destined for the address of the bridging host itself, applying different rules to each interface? David Whitmarsh's sample script (http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt) is interesting, but he only specifies his bridging interface (not either of the NICs) with '-i' in the rules governing traffic to his bridge. Following his example somewhat, in my first attempt I dropped RFC 1918 addresses in the mangle/PREROUTING chain, and jumped from there to chains specific to each interface (<> enclose dummy rules): -t mangle -A PREROUTING <filter RFC 1918> -d $BR_ADDR -j br_host | br_host: <rules applicable to packets destined for bridge host on all interfaces> -i $EXT_IF -j br_ext # should match stuff on eth1 -i $INT_IF -j br_int # should match stuff on eth0 -i $BR_IF -j ACCEPT br_ext: <rules applicable to packets entering external interface> br_int: <rules applicable to packets entering internal interface> (both br_ext and br_int are terminal chains, i.e. at the end they drop anything they don't explicitly accept) Sorry for the condensed pseudo-rules. The sript that implements this scheme is appended. Anyway, no packets from the outside ever match the br_ext or br_int rules, regardless of the interface they arrive on. All packets fall through to the '-i $BR_IF -j ACCEPT' rule. I suspect I should be using the INPUT chain with the '-i' flag and the $EXT_IF/$INT_IF specified, but what do I do with the $BR_IF interface, and can I specify the the IP address of the bridge with '-d'? Thanks in advance, Chuck ### START OF SCRIPT ### # We assume we are being run from a script that has sourced config # variables #-------------------------------------------------- # BASIC INITIALIZATION #-------------------------------------------------- # # reinitialize chains # $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -X $IPTABLES -X -t mangle # # set policies # for CHAIN in INPUT FORWARD; do $IPTABLES -P $CHAIN DROP done $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -P OUTPUT ACCEPT #-------------------------------------------------- # ALL INTERFACES, ALL DIRECTIONS #-------------------------------------------------- # enable loopback traffic $IPTABLES -A INPUT -i lo -j ACCEPT # stop spoofing from RFC 1918 addresses for NET in $PRIV_NETS; do $IPTABLES -t mangle -A PREROUTING -s $NET -j log_drop done $IPTABLES -t mangle -N br_host # send packets destined for bridge itself to proper chain $IPTABLES -t mangle -A PREROUTING -d $BR_ADDR -j br_host #-------------------------------------------------- # THE BRIDGE ITSELF #-------------------------------------------------- # # Not interface-specific: br_host # # accept established streams $IPTABLES -t mangle -A br_host -m state --state ESTABLISHED,RELATED -j ACCEPT # accept certain classes of ICMP for ICMP in 0 3 5 11; do $IPTABLES -t mangle -A br_host -p icmp -m icmp --icmp-type $ICMP -j ACCEPT done # Other rules: # accept echo requests from library, admin nets # accept NetBIOS name replies from our net # accept broadcasts from local net # silently deny from 0.0.0.0, since it also matches any address # silently (unlogged) drop multicast # silently (unlogged) drop stupid packets from local network # reset identd requests # initialize next two chains $IPTABLES -t mangle -N br_ext $IPTABLES -t mangle -N br_int # packets entering on external interface to proper chain $IPTABLES -t mangle -A br_host -i $EXT_IF -j br_ext # packets entering on internal interface to proper chain $IPTABLES -t mangle -A br_host -i $INT_IF -j br_int # accept packets to bridge interface $IPTABLES -t mangle -A br_host -i $BR_IF -j ACCEPT # log & drop all else $IPTABLES -t mangle -A br_host -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "br_host: " # postscript: INPUT must accept traffic destined for BR_ADDR $IPTABLES -A INPUT -d $BR_ADDR -i $BR_IF -j ACCEPT # # External interface: br_ext # # accept all traffic from admin hosts for ADDR in $BRIDGE_ADMINS; do $IPTABLES -t mangle -A br_ext -s $ADDR -j ACCEPT done # other rules specific to $EXT_IF # log & drop all else $IPTABLES -t mangle -A br_ext -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "br_ext: " $IPTABLES -t mangle -A br_ext -j DROP # # Internal interface: br_int # # packets not on our 24 bits of network space shouldn't appear here $IPTABLES -t mangle -A br_int -s ! $LOCAL_NET -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "br_int badd addr: " $IPTABLES -t mangle -A br_int -s ! $LOCAL_NET -j DROP # other rules specific to $INT_IF # log & drop all else $IPTABLES -t mangle -A br_int -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "br_int: " $IPTABLES --t mangle -A br_int -j DROP # Now would come rules for bridging/forwarding (FORWARD chain) _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
