Argh I found the error - one of my ethernet interfaces were partially defective.. That explains why the bridge didn't know of the machine behind the bridge itself :-)
I love this concept - I am SO thrilled, that I made it work :-))) /Klaus On Fri, 2002-06-21 at 14:22, Klaus Agnoletti wrote: > Hi there, > > I am trying to set up a bridging firewall on a debian woody server, so > it can firewall certain windows servers at our ISP. > > We got 32 ips or so, on one subnet, so I figured this was the right way > to do firewalling for those. > > What I've done is this : > I pathched the kernel without any errors. I tried this both on the stock > kernel from kernel.org and on the debian distributed > kernel-source-2.4.18 package. > I compiled a new kernel with both Network packet filtering support and > support for 802.1d Ethernet bridging and netfilter firewalling support > there. > > So far so good. > > With the new kernel, I have setup a testing environment with one Linux > box behind the bridge, attached with a cross-over cable into eth1 and > eth0 plugged into a switch with uplink to the switch that controls the > company network. > > I added these lines in /etc/network/interfaces : > > iface br0 inet static > address 192.168.200.200 > network 192.168.200.0 > broadcast 192.168.200.255 > netmask 255.255.255.0 > gateway 192.168.200.1 > bridge_ports all > > A very simple setup, described in the docs that comes with the > bridge-utils deb package. > > I've set up two forwarding iptables rules, taken from this mailing list > to allow forwarding between the two ethernet interfaces : > > wp-fw-1:~# iptables -n -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > wp-fw-1:~# > > When doing a brctl showmacs br0, I can see a few macs on interface 1 > (going into the switch and the company network) and only one on > interface 2 - which is the mac address of interface 2 on the bridge - > _not_ the ethernet interface of the machine behind the bridge, which > triggers me. As far as I understand it this means that the bridge > doesn't know about that box - and thus can't forward any traffic to it. > > I think this is the core of my problem. > > In debian setting up the network interfaces is handled by the above > mentioned configuration file (/etc/network/interfaces), and as far as I > understand it isn't possible to setup the bridge without having an IP > due to this distribuition specific thing. What I would like to do > eventually though, is to set the bridge up without an IP. How can this > be done in debian ? > > To elminate the firewalling issues, I tried building a vanilla 2.4.18 > kernel as well, with only bridging support - and no firewalling. Same > result. > > Can anybody help ? > > > -- > Med venlig hilsen / Regards > > Klaus Agnoletti > Junior Geek Engineer > > Xenux - The Linux People > Bredgade 35A, 2. > 1260 K�benhavn K > Tel: +45 3315 8202 > Fax: +45 3332 1832 > http://www.xenux.dk > -- Med venlig hilsen / Regards Klaus Agnoletti Junior Geek Engineer Xenux - The Linux People Bredgade 35A, 2. 1260 K�benhavn K Tel: +45 3315 8202 Fax: +45 3332 1832 http://www.xenux.dk
signature.asc
Description: This is a digitally signed message part
