---------- Original Message ---------------------------------- From: Michael Stopp <[EMAIL PROTECTED]> Date: Thu, 18 Apr 2002 12:55:22 +0200
>Hi! > >I want to set up a linux bridge with firewalling capabilities. >I downloaded the 2.4.18 kernel sources and the add-on patch for bridge >firewalling from http://bridge.sourceforge.net/download.html. >I configured and built a kernel with CONFIG_BRIDGE and CONFIG_BRIDGE_NF >enabled, of course most of the netfilter options in make config are >also enabled (I mainly left out some of the EXPERIMENTAL stuff). >Kernel compiled nicely, I got the "Bridge firewalling registered" >message on bootup. > >I configured the bridge according to the BRIDGE-STP-HOWTO and everything >worked nicely up to this point. >But when I try to configure iptables it doesn't have any effect. I >created a chain with the same name as my bridge (again according to what >the HOWTO and various newspostings suggested) but it doesn't seem to >catch any packets. >I tried some really basic accounting rules like > >iptables -A br0 -s 0.0.0.0 -d 0.0.0.0 > >But if I do 'iptables -vL' the packet and byte counts for this rule are >always zero. >However the counts for the FORWARD chain go up when there's any network >traffic passing the bridge, but I can't define a rule that catches >any packets in this chain either. >What am I doing wrong? Did I miss something important? Any hints, ideas, >suggestions will be highly appreciated. >Thanks! > >Michael Stopp > Yes, the netfilter-bridge no longer uses a chain of the same name as the bridge interface. It uses the same INPUT/FORWARD/OUTPUT chains as normal. To filter packets coming into the bridge (and stopping there, not going through to other destinations), use the INPUT chain. FORWARD is for packets going through, and OUTPUT is for packets originating at the bridge, just like a normal firewall. _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
