Ryan Rothert wrote:
Will do tomorrow, the box isnt online right now. So am I to assume
bridge firewall patch is already in the Fedora kernel?
Ive been looking the the kernel src.rpm and havent seen it yet. Again, I
do have bridging working, its just that iptables is not working with the
bridge interface ...
The bridging firewall worked with the stock RH 7.2 kernel, so I assume it's
still ok ;-)
Don't forget you have 3 interfaces when running a bridge. There's eth0 and
eth1 for bridging the ethernet, and the bridge interface itself (in your
case br0) for communicating with the host acting as the bridge. You don't
want to forget to setup INPUT/OUTPUT rules for br0 or the firewall device is
wide open to attack.
INPUT rules apply to packets entering br0, OUTPUT rules apply to packets
leaving br0 and FORWARD rules apply to packets traversing the bridge from
eth0->eth1 and eth1->eth0.
As to your original rules:
> iptables -A FORWARD --in-interface eth0 --out-interface eth1 -j
this will accept any packet being forwarded from eth0 to eth1 regardless (I
hope eth0 is your internal interface).
> iptables -A FORWARD --in-interface eth1 --out-interface eth0 -p
10.0.0.1 -d 192.168.1.5 -j DROP
this will drop any packet inbound from 10.0.0.1 to 192.168.1.5.
> iptables -A FORWARD --in-interface eth0 --out-interface eth1 -d
192.168.1.5 -j REJECT
I think will reject any outbound packet not destined for 192.168.1.5 (I'm
not sure what the effect of the ! following a \ will be), but you already
accept all packets from eth0->eth1 above so this has no effect. Also, from
the second rule it appears 192.168.1.5 is on the internal network so it
doesn't make any sense to me unless you are trying to keep packets destined
for this host which originate on the eth0 segment from appearing on the eth1
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw(a)ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555