> ---------- Original Message ---------------------------------- > From: Michael Stopp <[EMAIL PROTECTED]> > Date: Thu, 18 Apr 2002 12:55:22 +0200 > >>Hi! >> >>I want to set up a linux bridge with firewalling capabilities. >>I downloaded the 2.4.18 kernel sources and the add-on patch for bridge >>firewalling from http://bridge.sourceforge.net/download.html. >>I configured and built a kernel with CONFIG_BRIDGE and CONFIG_BRIDGE_NF >>enabled, of course most of the netfilter options in make config are >>also enabled (I mainly left out some of the EXPERIMENTAL stuff). >>Kernel compiled nicely, I got the "Bridge firewalling registered" >>message on bootup. >> >>I configured the bridge according to the BRIDGE-STP-HOWTO and everything >>worked nicely up to this point. >>But when I try to configure iptables it doesn't have any effect. I >>created a chain with the same name as my bridge (again according to what >>the HOWTO and various newspostings suggested) but it doesn't seem to >>catch any packets. >>I tried some really basic accounting rules like >> >>iptables -A br0 -s 0.0.0.0 -d 0.0.0.0 >> >>But if I do 'iptables -vL' the packet and byte counts for this rule are >>always zero. >>However the counts for the FORWARD chain go up when there's any network >>traffic passing the bridge, but I can't define a rule that catches >>any packets in this chain either. >>What am I doing wrong? Did I miss something important? Any hints, ideas, >>suggestions will be highly appreciated. >>Thanks! >> >>Michael Stopp >> > > Yes, the netfilter-bridge no longer uses a chain of the same name as the > bridge interface. It uses the same INPUT/FORWARD/OUTPUT chains as normal. > To filter packets coming into the bridge (and stopping there, not going > through to other destinations), use the INPUT chain. FORWARD is for packets > going through, and OUTPUT is for packets originating at the bridge, just > like a normal firewall. Thanks for your thoughts, but maybe I wasn't clear enough about this: I
had noticed that the br0 chain obviously didn't work as described in the BRIDGE-STP-HOWTO, so I tried the INPUT, FORWARD and OUTPUT chains as well, but without any difference whatsoever. The only thing that had any effect so far was to set the policy for the FORWARD chain to DROP. In that case everything was blocked (as expected...). But if I then add a rule which accepts everything it still blocks everything. Just checked whether there are any strange logfile entries, but everything looks fine there. Where can I even begin to search?! (Sorry, but I'm getting a bit frustrated after having spent days trying to get this to work...) -Michael -- Michael Stopp ([EMAIL PROTECTED]) EYE Communications AG (http://www.eye.ch) Emil Frey-Strasse 85 - CH-4142 Muenchenstein - Switzerland Phone: +41 (0)61 416 91 81 - Fax: +41 (0)61 416 91 80 === Why is the word abbreviation so long? === _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
