All good, had input instead of forward on the establish / related now fixed. To test I used: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth0 -p icmp -j DROP works great! Kind Regards William -----Original Message----- From: lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] On Behalf Of William Bohannan Sent: 20 December 2006 16:33 To: oscar@xxxxxxxxxxxxxxx Cc: lartc@xxxxxxxxxxxxxxx Subject: RE: blocking traffic on the FORWARD chain using physdev Still can't seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@xxxxxxxxxxxxxxx] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@xxxxxxxxxxxxxxx Subject: RE: blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote: > Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@xxxxxxxxxxxxxxx] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@xxxxxxxxxxxxxxx > Subject: Re: blocking traffic on the FORWARD chain using physdev > > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > > LARTC@xxxxxxxxxxxxxxxxxxx://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
