On Wed, Jan 30, 2002 at 12:34:17AM -0600, Chuck Bearden wrote:
> The problem: I want to filter packets for each of the following four
> cases such that the rules for each case are entirely independent of
> those for the other cases:
> Case 1: packets entering external interface, destined for host on inside
> Case 2: packets entering internal interface, destined for host on outside
> Case 3: packets entering external interface, destined for bridging host
> Case 4: packets entering internal interface, destined for bridging host
> I know I can handle cases 1 & 2 with the '-i' and '-o' flags on the
> FORWARD chain--the standard bridging firewall thing. But how do I
> filter packets destined for the address of the bridging host itself,
> applying different rules to each interface?
iptables -A INPUT -i eth0 -j LOG --log-prefix "coming from eth0 "
iptables -A INPUT -i eth1 -j LOG --log-prefix "coming from eth1 "
> David Whitmarsh's sample script
> (http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt) is
> interesting, but he only specifies his bridging interface (not either
> of the NICs) with '-i' in the rules governing traffic to his bridge.
If you specify '-i br0', it will match traffic from all subinterfaces (i.e.
the combined effect of '-i eth0', '-i eth1', etc.)
> Anyway, no packets from the outside ever match the br_ext or br_int
> rules, regardless of the interface they arrive on. All packets fall
> through to the '-i $BR_IF -j ACCEPT' rule.
What if you log the packets with a LOG rule? You should see something
like this in your log output "IN=br0 PHYSIN=eth0"
cheers,
Lennert
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
