I've been subscribed to this list (and the ebTables one) for some months, and although I was able to use the bridge functionality very quickly, I have procrastinated long & hard over implementing my bridging-firewall because I found ipTables so intimidating.
Last night, however, I finally buckled down with a copy of the ipTables man page & started analysing David "Sparkle" Whitmarsh's firewall script at http://tinyurl.com/ftsa My setup & requirements may be slightly different to his, however, and I am using this as a learning opportunity to understand how to configure ipTables for myself, as editing the sample script naively has proved unsuccessful. I consequently have some questions, which I hope some folks can clarify for me. Since I have a simple configuration with the ADSL modem-router-bridge on eth1 & the LAN on eth0, what I want to do is filter largely on the physical interface - anything on eth0 is considered safe & is allowed out to the world (or to connect to the bridging machine), anything on eth1 is considered harmful unless I know otherwise. I obviously want to let replies from the Internet on eth1 into my LAN, but also ports 80, 53, ftp, BitTorrent, Gnutella &c (at least to selected machines). It confuses me how ipTables is able to distinguish between the physical interface & the br0 interface, but these rules: # iptables -A FORWARD -i eth1 -j LOG --log-prefix "Stuff in: " # iptables -A FORWARD -i eth0 -j LOG --log-prefix "Stuff out: " Produce the following output when I ping a device across the bridge: Jul 2 15:12:15 gentoo kernel: Stuff in: IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=192.168.1.9 DST=192.168.1.70 LEN=84 TOS=0x00 PREC=0x00 TTL=60 ID=2 PROTO=ICMP TYPE=0 CODE=0 ID=1787 SEQ=2 Jul 2 15:12:16 gentoo kernel: Stuff out: IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=eth1 SRC=192.168.1.70 DST=192.168.1.9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37096 PROTO=ICMP TYPE=8 CODE=0 ID=1787 SEQ=3 Consequently I believe it is possible to do all my filtering on the basis of the iptables -i parameter. Is this correct..? Any comments..? In his script (URL as above), Whitmarsh has the line: $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 \ -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died: " Can someone please explain what this is for, please..? It seems to add to the default (ie: filter) table a rule to log upto 3 times per minute all packets which have not been accepted (or otherwise handled) by previous rules. I don't really understand this, or the statement in the ipTables man page: "[-m limit]... can be used in combination with the LOG target to give limited logging, for example" Is it saying we want to log only SOME of the packets which we are firewalling out, to save our logs getting too crowded..? Whitmarsh also adds this chain to his forward table, thusly: $IPTABLES -N allowed $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # Bad TCP packets we don't want $IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW \ -j LOG --log-prefix "New not syn:" $IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A FORWARD -p TCP -j tcp_packets Am I misreading the syntax, or is the "new not syn" line redundant..? Surely that has been handled by the previous line..? What is wrong with "new not syn" packets that we might wish to drop them, and what would they be used for..? Finally (I think!) I have just counted 9 devices (PCs, a laptop, Unix boxen a networked printer) that might have IP addresses on my LAN. I have allocated to me a mask 255.255.255.248 (/29 ?) subnet by my ISP, of which I am currently using only 1 IP address, NATted by my ADSL router. Once I get this firewall functioning, it is my intention to switch the firewall to "bridging mode" and to allocate real-world IP addresses to my workstation, server &c. Is it easily possible to also NAT on a bridging-firewall, so that private IP addresses can be allocated to the other machines..? How do I achieve this, please..? My apologies for the length & verbosity of this posting. I am much indebted for your bandwidth & thank the list in advance for any replies that may be forthcoming. Stroller. _______________________________________________ Bridge mailing list [EMAIL PROTECTED] http://www.math.leidenuniv.nl/mailman/listinfo/bridge
