LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-06-2016, 02:13 PM   #1
erikkn
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Rep: Reputation: Disabled
Linux/Ubuntu Bridge for firewall/iptables


Hi guys,

I'm totaly stuck with a problem and I could use your help .
Topology: Modem - Router (192.168.77.254) - bridge - switches. The idea is to configure the bridge as a firewall for the network.

I started with installing the bridge utils (apt-get install bridge-utils). After that i made the bridge (brctl addbr br0) and added my interfaces to the bridge (brctl addif eth0 p1p1).
After this i changed my /etc/network/interfaces:

# The loopback network interface
auto lo br0
iface lo inet loopback

# The primary network interface
auto p1p1
iface p1p1 inet manual

auto eth0
iface eth0 inet manual
#
auto p2p1
iface p2p1 inet static
address 192.168.77.121
netmask 255.255.255.0
gateway 192.168.77.254
dns-nameserver 8.8.8.8
#
auto br0
iface br0 inet dhcp
bridge_ports p1p1 eth0

As you can see i've one management interface for SSH access.

Okay, so after this i placed this PC between my router and core-switch and it's working. When i unplug one cable, i've no internet, so the bridge is working.

Now that the bridge is working, i made some iptables rules. For testing purpose i inserted the following rules:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -j DROP

Now the following problem occurs: i can still use the internet, the iptables are not working!
Can please someone point me to the right direction, cuz like i said, im stuck.

Thanks!
 
Old 01-06-2016, 02:30 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
iptables deals with IP packets, not Ethernet frames. IP rules will not affect traffic between interfaces connected to a bridge, only packets that are actually processed by the TCP/IP stack (inbound, outbound or forwarded packets).

ebtables can be used to filter traffic between bridged interfaces, but really, you should probably configure this host as a router instead. That's how the vast majority of firewalls are installed, and for good reasons.
 
Old 01-06-2016, 02:34 PM   #3
erikkn
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
So you are saying: if i want, for example, want to block access from internal clients to www.google.nl, i have to use ebtables?
 
Old 01-06-2016, 02:38 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,334

Rep: Reputation: Disabled
If the firewall host is configured as a bridge, then yes. iptables is for routed IP packets, while ebtables deals with bridged Ethernet frames.
 
Old 01-06-2016, 02:43 PM   #5
erikkn
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Okay, i'll try this, i keep you posted ;-)!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Securing your Ubuntu/Debian based VPS using IPTABLES/Netfilter firewall LXer Syndicated Linux News 0 08-15-2014 10:11 PM
Which firewall/iptables GUI front-end/program should I use for Ubuntu? lupusarcanus Linux - Security 11 12-20-2009 01:57 PM
Anyone using a bridge firewall with iptables and ebtables? CoffeeKing!!! Linux - Networking 3 11-02-2009 11:10 AM
IPTables interface switch (-i ethx) problem w/ bridge-Firewall lsbrasil Linux - Networking 3 02-09-2008 06:10 AM
Linux bridge with iptables and STP wkm001 Linux - Networking 1 02-04-2004 01:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration