Le jeu 06/11/2003 à 22:07, Tim Gardner a écrit : > I have a well behaved bridge firewall using 2.4.22 with the relevant P-O-M > patches applied. In testing 2.6.0-test9 I have determined that interface > specification on a rule no longer works. For example, the first rule in the > set that should catch 99% of all inbound TCP packets is > > iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT > > If the interface is specifed, then this rule does not accrue any packets. Is > this an expected change in behavior from 2.4.22? When using a bridged firewall with 2.6 kernels, inbound interface is bridge interface, i.e. br0, and it is outbound one as well... That's why you have physdev match that allows one to match the _physical_ interface, among all ones belonging to the bridge, that actually received the packet. cbr@elendil:~$ iptables -m physdev --help iptables v1.2.8 [...] physdev v1.2.8 options: --physdev-in [!] input name[+] bridge port name ([+] for wildcard) --physdev-out [!] output name[+] bridge port name ([+] for wildcard) So, in your case : iptables -A FORWARD -i br0 -m physdev --physdev-in $EXTIF \ -m state --state ESTABLISHED,RELATED -j ACCEPT -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
