Re: Bridging firewall setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tuesday 16 December 2003 4:55 pm, Chris Brown wrote:

> Hi all, new to the list. I'm trying to get a bridging firewall setup on
> a RH 9 box and I'm not having much luck. The bridge itself works fine
> but when I try to add rules using netfilter they seem to be ignored and
> packets I'm trying to block go on through.
>
> I decided to start simple by blocking some (presumably) msblast traffic
> on port 135. From the HOWTOs I've been reading all rules on the bridge
> should be in chain FORWARD so I did:
>
> iptables -F
> iptables -X # RH has some user-defined chains and i just dumped those
> iptables -A FORWARD -p udp --dport 135 -j DROP
> iptables -A FORWARD -p tcp --dport 135 -j DROP
>
> Nothing ... traffic still gets through ... so I explicitly added the
> interface
>
> iptables -i br0 -A FORWARD -p udp --dport 135 -j DROP
>
> Still nothing.

I don't know the answer to your question, but in situations like this I always 
think it's a good idea to turn on some LOGging so you can see where the 
packets are, and then you can try filtering them.

One thing you could do straight off is just request a detailed listing of the 
chains, to see if you have any packet counts at all:

iptables -L -n -v -x

will print out the filter tables in the INPUT, FORWARD and OUTPUT chains, and 
you should see from the byte & packet counters whether packets seem to have 
been going past.

You can do the same thing with the nat tables to see what happens just before 
& after the above:

iptables -L -t nat -n -v -x

However, if you simply put a LOG rule into all five chains, and then send some 
packet through the bridge, see what gets logged where:

iptables -I INPUT -j LOG
iptables -I FORWARD -j LOG
iptables -I OUTPUT -j LOG
iptables -I PREROUTING -t nat -j LOG
iptables -I POSTROUTING -t nat -j LOG

Let us know what you find....

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux