RE: [Bridge] bridge forward issue

[Reed Wiedower]

Title: RE: [Bridge] bridge forward issue

I'm able to place rules on the INPUT and OUTPUT chains...and they do take effect, but not for any packets that are forwarded, even with the bridge_interface command. If I use the   iptables -A INPUT -i br0 -p icmp -j DROP   command, for instance, I'm prevented from pinging the bridge itself, but not from pinging the router on the other side. If I place a rule on the OUTPUT chain, it will prevent me from pinging any hosts from the bridge itself. But neither will affect pinging devices across the bridge, which is the whole point of being able to do this stuff.   I'm upgrading my kernel...I've heard that the latest kernel has the bridging code built in, along with eptables, right? And hell, it can't hurt to start from scratch again.   eol,   REed   reed wiedower [EMAIL PROTECTED] peyser.com 202.638.3730x115 -----Original Message----- From: Brett Carroll [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 4:41 PM To: Reed Wiedower; [EMAIL PROTECTED] Subject: Re: [Bridge] bridge forward issue I don't know why the FORWARD chain is not getting tagged. I have many rules associatied with the FORWARD chain and they all show up in iptables with many hits. You can place your rules on the INPUT chain and use the interface of the bridge (which I also have for some rules).. Both ways work fine for my setup.   iptables -A INPUT -i <bridge_int> -p icmp -j DROP   iptables -A FORWARD -p icmp -j DROP   Brett Carroll Network Administrator WireFire Internet Service Parkersburg, West Virginia ----- Original Message ----- From: Reed Wiedower To: '[EMAIL PROTECTED]' ; '[EMAIL PROTECTED]' Sent: Thursday, January 09, 2003 4:14 PM Subject: RE: [Bridge] bridge forward issue Yeah, even if I set the default policy for the entire FORWARD chain to be DROP, it doesn't record any packets traversing it. I just tried your method and it, too, didn't record any   In October, someone suggested a link to paper written by the guy who's in charge of ebtables, but the paper itself didn't describe any particular solutions to this problem.     Chain INPUT (policy ACCEPT 1146 packets, 114630 bytes)     pkts      bytes target     prot opt in     out     source               destination   Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)     pkts      bytes target     prot opt in     out     source               destination        0        0 DROP       icmp --  any    any     anywhere             anywhere   Chain OUTPUT (policy ACCEPT 1432 packets, 99730 bytes)     pkts      bytes target     prot opt in     out     source               destination No traffic of any kind. Thoughts?   eol,   Reed reed wiedower [EMAIL PROTECTED] peyser.com 202.638.3730x115 -----Original Message----- From: Bob McDowell [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 4:18 PM To: Reed Wiedower Subject: RE: [Bridge] bridge forward issue Can you set a 'DROP' rule for some type of traffic on the 'FORWARD' chain and test to see that dropping works?  E.g.: A <---> Firewall/Bridge <---> C iptables -A FORWARD -p icmp -j DROP then from A - ping C and from C - ping A -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Reed Wiedower Sent: Thursday, January 09, 2003 2:46 PM To: '[EMAIL PROTECTED]' Subject: [Bridge] bridge forward issue I recently rolled a custom kernel after applying the bridge patch, and setup an ethernet bridge on my network between the LAN and the router. So far, so good. All the clients can get to the router and vice-versa, so I was ready to begin implementing some firewall rules through iptables. When I look through iptables, however, I'm confused by the output. It shows a great deal of packets traversing the INPUT and OUTPUT chains, but none crossing the FORWARD chain. Since the box itself isn't running any services, I assumed that all of the packets being sent from our LAN out to the router would traverse the FORWARD chain, and so I'd need to edit that through iptables. 1) Am I wrong about which chain the packets are traversing? Curiously, even the total number of packets crossing the wire seems far lower in iptables than when I query ifconfig. 2) If the FORWARD chain isn't showing any packets across it, is my bridge improperly functioning? I suspect that the issue is with iptables rather than the bridging portion of things, but I wan't to eliminate any variables. Thanks for any help anyone can provide! eol, Reed Wiedower reed wiedower [EMAIL PROTECTED] peyser.com 202.638.3730x115 _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge