Hi, According to what you wrote I imagine that the control over the bridge you alread have. The filter made with ebtables only affects the traffic crossing the bridge (your filter in BROUTING). For IPv4 traffic you must configure the firewall as if it were a simple firewall/router - if you have'nt done the bridge filters. - Make sure the routing is active in /proc/sys/net/ipv4/ip_forward (setting 1). - Check the routing table on both sides (networks). If each network knows the routing path to another? - Check the filters in the FORWARD chain. - If you refer to the output as internet access, then confirm your NAT rules (SNAT or MASQUERADE). One way to quickly verify if the problem is with your firewall rules (in memory - only for tests): echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -I POSTROUTING -j MASQUERADE iptables -I FORWARD -j ACCEPT By this way you will NAT and will accept anything that goes through the firewall. Of course you should not leave it, but it is a way to quickly verify if the problem is with your rules. Start without NAT. You can use tcpdump to help you too: - using a shell session tcpdump -i <if_in> icmp -n - using a another shell session tcpdump -i <if_out> icmp -n So you can see what goes in and out of each interface. If it is too polluted, you can concatenate the host address in pcap filter: tcpdump-i icmp and host <if> <target> I hope this helps Em 23 de março de 2012 02:58, Huebner, Thomas <thomas.huebner@xxxxxxxxxxxxx> escreveu: > Hi, > > thanks for you'r quick response. I needed some time to fix and extend the kernel with ebt_broute. I'm using openembedded and all that bitbake stuff needs time... > Finaly i've integrated ebtables and the necessary kernel modules. > > I assume that the preceding setup looks some thing like this (?): > > # brctl addbr br0 > # brctl addif br0 usb0 > # brctl addif br0 usb1 > # ifconfig br0 0.0.0.0 up > > followed by: > # ebtables -t broute -A BROUTING -p ipv4 -j DROP > > After that a can no longer ping (ipv4) the box from outside. > > > Am I missing something, May be some sysctl's? > > Regards, > > Thomas > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
