On Mon, 06 Sep 2004 15:45:38 +0200, Steve Comfort <steve@xxxxxxxxx> wrote:
> Hi All,
>
> Could anyone perhaps suggest a script to use in conjunction with a
> bridge (ebtables/iptables combination)? I am trying (unsuccessfully) to
> firewall a linux access point with one wlan and one eth interface...
You need to allow forwarding "between" the bridge and for filtering
"inside" the bridge you'll need physdev-in and physdev-out instead of
-i and -o.
As an example:
# allow forwarding between the interfaces in the bridge but only for ports > 100
BRIDGE_IF=br0
$IPTABLES -A FORWARD -p TCP -i $BRIDGE_IF -o $BRIDGE_IF --dport 1:100 -j DROP
$IPTABLES -A FORWARD -p UDP -i $BRIDGE_IF -o $BRIDGE_IF --dport 1:100 -j DROP
$IPTABLES -A FORWARD -p ALL -i $BRIDGE_IF -o $BRIDGE_IF -j ACCEPT
## at this point, all traffic between ALL the interface in the bridge can be
## forwarded, except for udp and tcp connections going to a
## port <= 100 (just an example, you don't need to include that :) )
## now some further restrictions. All interfaces following must have
## been added using brctl addif to the bridge
## for the example, assume the ifs eth1, ath0 and tap0 are in the bridge
# if coming from device tap0 (VPN) don't allow to go to ath0 (WLAN)
## make new chain
$IPTABLES -N fromtap
## if coming from tap0 jump to chain fromtap
$IPTABLES -A FORWARD -m physdev --physdev-in tap0 -j fromtap
## if going to device ath0, drop
$IPTABLES -A fromtap -m physdev --physdev-out ath0 -j DROP
## if going to device eth0, allow
$IPTABLES -A fromtap -m physdev --physdev-out eth0 -j ACCEPT
## drop everything else
$IPTABLES -A fromtap -j DROP
Of course you can use all other matches that are valid. The important
thing is that generic forwarding of the bridge is allowed (FORWARD -i
bridge -o bridge) and that you need to filter on devices that are *in*
the bridge using physdev. When in doubt, add -j LOG at the end of your
Chains and look what gets logged before (hopefully) the default policy
drop.
Hope that helps
--
C U
- -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
