Hello! I have a bridge setup on a debian testing box, with the bridge-nf and ebtables patches against 2.4.20.
The bridge itself works fine, but I'm fairly confused about behaviour I'm witnessing when I apply iptables rules. The ip of the bridge br0 is 10.0.0.50. It contains two interfaces, a router on one side (10.0.0.35), and small LAN on the other, the only machine in use on that LAN being 10.0.0.52 The situation is this: On the bridge, all iptables chains are empty, and their counters are set to zero. On the router, I run a portscan against the bridge, the command looks like: nmap -sS -v -n -p 1-1024 10.0.0.50 On the bridge I then run iptables -L, and the counters on the chains look like: INPUT chain 1030 OUTPUT chain 1026. FORWARD chain 0 So far so good. If I then add the following rule and zero all the counters: iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset and run the portscan again, the counters on the bridge now look like: INPUT 1 accept, and next to the -j REJECT rule, it says 1025 reject FORWARD 1025 accept OUTPUT 1 accept By adding a -j LOG rule to the forward chain, I know all the packets traversing the forward chain are reply packets to the incoming scan. If I then clear the -REJECT rule, the traffic reverts back to going in and out the INPUT and OUTPUT chain. So my question is: Is this normal behaviour? And if it is, is it simply a case of having to adjust my ruleset to compensate for the fact you cant predict whether packets originating from the bridge will leave out the OUTPUT or the FORWARD chains? Thanks! Helen _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
