- From what I have seen of the bridging abilities and ebtables this gets ugly as we are reduced to layer 2 filtering and have a lack of control of the higher level protocols, which is basically useless here.
This is not quite the case. Bridging has a unique ability to be set up to only bridge specific traffic. Take a look at my reply (https://lists.netfilter.org/pipermail/netfilter/2005-May/060531.html) to the "Bridging selected MACs" thread. The EBTables portion of the kernel is firewalling / filtering on layer 2 which has a special table called broute with a special chain called BROUTING which is used to have the kernel decide if it is going to bridge (ACCEPT) traffic (in the the bridging code) or if it is going route (DROP) traffic (up in to the routing code). With this you could easily have a bridging router. I think if you take a look at the afore mentioned thread you will see that this can fairly easily be done. If you do want some help with it please start a new thread (this for some reason showed up as a reply to the SSH brute force thread) and I'll be glad to offer any and all help that I can.
Grant. . . .
