RE: blocking traffic on the FORWARD chain using physdev

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for that.  Would you be able to give a simple example on how to
block outgoing traffic using ebtables and icmp? as I get an error when
using icmp?
 
ebtables -A FORWARD -i eth1 -p icmp -j DROP

Error message - "Problem with the specified protocol."


Kind Regards
William 


-----Original Message-----
From: Oscar Mechanic [mailto:oscar@xxxxxxxxxxxxxxx] 
Sent: 14 December 2006 12:27
To: William Bohannan
Cc: lartc@xxxxxxxxxxxxxxx
Subject: Re:  blocking traffic on the FORWARD chain using physdev

Hi

   Physdev may no longer be supported soon something to do with hooks
and how this is difficult to support. I have stopped using it cause I
found some odd behavior in physdev-in, out seemed fine I remember. I use
ebtables and marks for this now.


On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote:
> Currently using physdev on a bridge to try and isolate certain paths
> across and to the bridge.  It all works except when trying to stop the
> flow in one direction on the FORWARD chain?? Can someone please help??
> 
> Below is the testing done so far.
> 
> eth1 <---> BRIDGE <---> eth0
> 
> # Block (eth0 ---> eth1) - blocks both directions and not just one?? 
> iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP
> 
> # Block (eth0 <--- eth1) - blocks both directions and not just one??
> iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP
> 
> # Block (eth0 ---> BRIDGE) - working
> iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP
> 
> # Block (eth0 <--- BRIDGE) - working
> iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP
> 	
> # Block (eth1 ---> BRIDGE) - working
> iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP
> 
> # Block (eth1 <--- BRIDGE) - working
> iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP
> 
> 
> Kind Regards
> William 
> 
> _______________________________________________
> LARTC mailing list
>
LARTC@xxxxxxxxxxxxxxxxxxx://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar
tc


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux