This isn't a great teaching example, but it works for me (more or less identical bridge setup as you have below)
------------ a little setup -------------- # FLUSH those tables iptables -t nat -F iptables -F --------- some rules --------------- # we take http and https traffic to and from just about anything iptables -A FORWARD -p tcp --destination-port www -j ACCEPT iptables -A FORWARD -p tcp --source-port www -j ACCEPT iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT iptables -A FORWARD -p tcp --source-port 443 -j ACCEPT # we need to keep that email flowing iptables -A FORWARD -p tcp --destination-port smtp -j ACCEPT iptables -A FORWARD -p tcp --source-port smtp -j ACCEPT # plus POP3! iptables -A FORWARD -p tcp --destination-port pop-3 -j ACCEPT iptables -A FORWARD -p tcp --source-port pop-3 -j ACCEPT # dns is required to work # FIXME : we have well defined DNS servers so requests from # extrenal hosts should be permitted only to those. iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT iptables -A FORWARD -p udp --source-port 53 -j ACCEPT iptables -A FORWARD -p tcp --destination-port 53 -j ACCEPT iptables -A FORWARD -p tcp --source-port 53 -j ACCEPT Basically, everything traverses the FORWARD chain Since the bridge has no length, you don't know which direction a packet is traveling so you do something like this: iptables -A FORWARD -m physdev -s www.wormspreader.com -p tcp --physdev-in eth1 -j DROP Not a great example (not even tested and I currently don't have any rules of this nature so I hope -m physdev is correct). But, anyway, it's supposed to DROP an incoming tcp connection (assuming eth1 faces the internet) from www.wormspreader.com. Hope that helps some. I'm sure others will give you better examples. -Gregg On Thursday 17 March 2005 02:27 pm, Theodore Knab wrote: > Hi, > > Does anyone have some transparent bridge iptables rules that I could use as > an example ? > > I have a Debian Sarge box running the 2.6.10 kernel that is acting as a > transparent bridge. > > Currently, it is using EBTABLES. I want to rewrite my rules to use > iptables. > > My bridge config looks like this: > > > #!/bin/sh > QWEST="eth1" > INSIDE="eth2" > > /usr/sbin/brctl addbr br0 > > /bin/echo "STP is only needed if there is more than one bridge" > /bin/echo "turn off stp on br0" > /usr/sbin/brctl stp br0 off > > /bin/echo "add $QWEST to virtual unit br0" > /usr/sbin/brctl addif br0 $QWEST > > /bin/echo "add $INSIDE to virtual unit br0" > /usr/sbin/brctl addif br0 $INSIDE > > /bin/echo "turning off and on reset bridge" > /sbin/ifconfig br0 down > /sbin/ifconfig br0 0.0.0.0 up > > > > > -- > ------------------------------------------ > Ted Knab > Chester, Maryland 21619 USA > ------------------------------------------ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
