RE: What I learned about Linux bridging

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>> I want to block anything coming in from the Internet claiming to come

>> from 10/8, or 172.16/12 or 192.168/16.  

> You should be able to easily do this with a few EBTables rules. 

Yup - I was off putting together something similar to what you did and
just now saw your reply.  It all tested good.  I'll paste it in below:

#
# ebtables rules for bridging
#
echo "ebtables rules"
echo "	Directing anything between the Internet and private IP Addresses
to the bogus_ip chain"

$EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-src 10.0.0.0/8 -j
bogus_ip
$EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-src 172.16.0.0/12 -j
bogus_ip
$EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-src 192.168.0.0/16 -j
bogus_ip
$EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-dst 10.0.0.0/8 -j
bogus_ip
$EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-dst 172.16.0.0/12 -j
bogus_ip
$EBTABLES -A FORWARD -i $INET_IFACE -p IPv4 --ip-dst 192.168.0.0/16 -j
bogus_ip

$EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-src 10.0.0.0/8 -j
bogus_ip
$EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-src 172.16.0.0/12 -j
bogus_ip
$EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-src 192.168.0.0/16 -j
bogus_ip
$EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-dst 10.0.0.0/8 -j
bogus_ip
$EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-dst 172.16.0.0/12 -j
bogus_ip
$EBTABLES -A INPUT -i $INET_IFACE -p IPv4 --ip-dst 192.168.0.0/16 -j
bogus_ip

#
# Set up the bogus_ip chain to log and drop packets to/from private IP
addresses
#

echo "Setting up the bogus_ip chain to LOG and DROP spoofed packets"

$EBTABLES -A bogus_ip --log-prefix " spoofed packet"
$EBTABLES -A bogus_ip -j DROP


I might see if I can do this with one set of rules in the PREROUTING
chain.


> I don't think you are being too paranoid, but 
> I think you should be aware of something I have 
> run in to in my own testing. . . .

Yup - I noticed similar behavior.  So this is how I'll handle it.  eth0
gets an IP Address of 1.2.3.6 during normal bootup.  And then when I do
the brctl stuff, br0 gets 1.2.3.2.  That way there's never a conflict
between the physical and logical.  All the physical interfaces have
unique addresses so I can route based on the address when it makes
sense, or bridge based on the interface when that makes sense.  I'm
feeling lots better about all this.  Hopefully this discussion can help
others out there.  

- Greg

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux