Hi there, I am trying to set up a bridging firewall on a debian woody server, so it can firewall certain windows servers at our ISP.
We got 32 ips or so, on one subnet, so I figured this was the right way
to do firewalling for those.
What I've done is this :
I pathched the kernel without any errors. I tried this both on the stock
kernel from kernel.org and on the debian distributed
kernel-source-2.4.18 package.
I compiled a new kernel with both Network packet filtering support and
support for 802.1d Ethernet bridging and netfilter firewalling support
there.
So far so good.
With the new kernel, I have setup a testing environment with one Linux
box behind the bridge, attached with a cross-over cable into eth1 and
eth0 plugged into a switch with uplink to the switch that controls the
company network.
I added these lines in /etc/network/interfaces :
iface br0 inet static
address 192.168.200.200
network 192.168.200.0
broadcast 192.168.200.255
netmask 255.255.255.0
gateway 192.168.200.1
bridge_ports all
A very simple setup, described in the docs that comes with the
bridge-utils deb package.
I've set up two forwarding iptables rules, taken from this mailing list
to allow forwarding between the two ethernet interfaces :
wp-fw-1:~# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
wp-fw-1:~#
When doing a brctl showmacs br0, I can see a few macs on interface 1
(going into the switch and the company network) and only one on
interface 2 - which is the mac address of interface 2 on the bridge -
_not_ the ethernet interface of the machine behind the bridge, which
triggers me. As far as I understand it this means that the bridge
doesn't know about that box - and thus can't forward any traffic to it.
I think this is the core of my problem.
In debian setting up the network interfaces is handled by the above
mentioned configuration file (/etc/network/interfaces), and as far as I
understand it isn't possible to setup the bridge without having an IP
due to this distribuition specific thing. What I would like to do
eventually though, is to set the bridge up without an IP. How can this
be done in debian ?
To elminate the firewalling issues, I tried building a vanilla 2.4.18
kernel as well, with only bridging support - and no firewalling. Same
result.
Can anybody help ?
--
Med venlig hilsen / Regards
Klaus Agnoletti
Junior Geek Engineer
Xenux - The Linux People
Bredgade 35A, 2.
1260 K�benhavn K
Tel: +45 3315 8202
Fax: +45 3332 1832
http://www.xenux.dk
signature.asc
Description: This is a digitally signed message part
