bridge-nf

Nigel Wade nmw at ion.le.ac.uk
Wed Mar 17 11:22:17 UTC 2004 

Ryan Rothert wrote:
> Will do tomorrow, the box isnt online right now.  So am I to assume the
> bridge firewall patch is already in the Fedora kernel?
> Ive been looking the the kernel src.rpm and havent seen it yet.    Again, I
> do have bridging working, its just that iptables is not working with the
> bridge interface ...
> 

The bridging firewall worked with the stock RH 7.2 kernel, so I assume it's 
still ok ;-)

Don't forget you have 3 interfaces when running a bridge. There's eth0 and 
eth1 for bridging the ethernet, and the bridge interface itself (in your 
case br0) for communicating with the host acting as the bridge. You don't 
want to forget to setup INPUT/OUTPUT rules for br0 or the firewall device is 
wide open to attack.

INPUT rules apply to packets entering br0, OUTPUT rules apply to packets 
leaving br0 and FORWARD rules apply to packets traversing the bridge from 
eth0->eth1 and eth1->eth0.

As to your original rules:

 >> iptables -A FORWARD --in-interface eth0 --out-interface eth1 -j ACCEPT

this will accept any packet being forwarded from eth0 to eth1 regardless (I 
hope eth0 is your internal interface).

 >> iptables -A FORWARD --in-interface eth1 --out-interface eth0 -p tcp -s
10.0.0.1 -d 192.168.1.5 -j DROP

this will drop any packet inbound from 10.0.0.1 to 192.168.1.5.

Finally,

 >> iptables -A FORWARD --in-interface eth0 --out-interface eth1  -d \!
192.168.1.5 -j REJECT

I think will reject any outbound packet not destined for 192.168.1.5 (I'm 
not sure what the effect of the ! following a \ will be), but you already 
accept all packets from eth0->eth1 above so this has no effect. Also, from 
the second rule it appears 192.168.1.5 is on the internal network so it 
doesn't make any sense to me unless you are trying to keep packets destined 
for this host which originate on the eth0 segment from appearing on the eth1 
segment.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the users mailing list