Hum, it looks good but when @1 sends data to @2 using TCP/IP, I need to get data in my application running on bridge in order to choose if data must be sent to @2. Meaning that I would like to have for example a TCP/IP socket opened on eth0 and getting data before sending the data to @2. The choice of routing or non routing can't only be done by looking at the packet at the IP level but by analysing contents of a TCP data contents. > -----Message d'origine----- > De : Cedric Blancher [mailto:blancher@xxxxxxxxxxxxxxxxxx] > Envoyé : jeudi 29 janvier 2004 15:51 > À : Christophe.LINDHEIMER@xxxxxxxxxxxxxxxxxx > Cc : netfilter@xxxxxxxxxxxxxxxxxxx > Objet : RE: beginner, trying to use iptables. > > > Le jeu 29/01/2004 à 14:58, Christophe.LINDHEIMER@xxxxxxxxxxxxxxxxxx a > écrit : > > So at the end I have go something looking like this : > > @1 <--------> @2 | @3 <-------> @4 > > with @1 = 128.0.0.2, @4 = 128.0.0.10, @2 & @3 can be anything. > > @1 & @4 must be on the same subnet ( the computer in the > middle must be > > transparent and can be removed ) > > So it is a kind of firewall but a bit special. > > You have to set a transparent firewall up, using bridging. > > See http://ebtables.sourceforge.net/ > > Principle is quite simple : > > @1 ------- [eth0/eth1] ------ @2 > br0 > > Once the patch is applied, you have to build your kernel with bridging > and bridge firewalling support (see networking section). > Then, set your > box as a bridge : > > brctl addbr br0 > ifconfig eth0 up > ifconfig eth1 up > brctl addif br0 eth0 > brctl addif br0 eth1 > ifconfig br0 up > > Now, your box behave like a bridge (i.e. an ethernet switch with 2 > ports), forwarding frames between eth0 and eth1. Forwarded frames > payload, if IP, will be visible into Netfilter FORWARD chain, what > allows you to filter IP stuff, just as usual. > > NB : . non-IP traffic will be allowed unless you use ebtables to block > it > . if you want to reach your box from network, just > assign an IP to > br0 interface > > There's some documentation at http://ebtables.sourceforge.net/ that > explains this kind of setups. > > > I thought that with iptables, I could say : the destination > of any packets > > entering in eth0 ( with no care of the IP @ ) is > transformed into @2 (using > > DNAT for example ), then @2 replies and I retransform the > source @. ( isn't > > a proxy working like this ?? ) > > A proxy works at application layer, here you'll have to work either at > link or network layer. > > -- > http://www.netexit.com/~sid/ > PGP KeyID: 157E98EE FingerPrint: > FA62226DA9E72FA8AECAA240008B480E157E98EE > >> Hi! I'm your friendly neighbourhood signature virus. > >> Copy me to your signature file and help me spread! >
