Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I got a little bridge going with the ip_tables module loaded and it's working, because I managed to cut off my ssh connection by denying all INPUT. I can't however manage to stop traffic going through the box.
iptables -A FORWARD -p ALL -i eth1 -s 198.86.12.102/24 -o eth0 -d 198.86.12.1/24 -j DROP
For full describing the forwarding traffic you need to take care both for forwarding and natting rules (and mangling as well if you have got ones)
I believe apart from the FORWARD rules you have got '-t nat ... POSTROUTING' or PREROUTING rules. The rules can change the IP addresses before FORWARD will act.
Anyway: have you tried 'iptables -A FORWARD -p ALL -i eth1 -o eth0 -j DROP' (or just 'iptables -A FORWARD -j DROP') ?
I havn't looked at postrouting and prerouting but according to the howto's it should be working with just the forward rule. I have tried what you suggested and more but when I enter iptables -vL I can see that none of the packets seem to have gone through the FORWARD chain at all. I even tried to make the rule from eth1 to br0 and from br0 to eth0 but the packets still don't go through the FORWARD chain, only the INPUT and OUTPUT ones.
its a bridge that bridges two parts of the same network, so machines on one side of the box would be in the same network as on the other side, the INPUT & OUTPUT chains are for packets comming to or generated on the localhost, I'm supposed to be able to stop packets to localhost but also have the option of accepting packets to localhost but not letting them go through to the rest of the network (FORWARD)
Sorry, but this time I don't understand anything.
If you need a bridge you do not need any netfilter (bridge doesn't know about IP addresses).
Using iptables you can make a router since it works with internet protocol.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.