I'm trying to put together a transparent bridge to protect a system. Using ebtables, arptables, and iptables, I've ALMOST got it working, and I'm wondering if using nftables may be the better way to go. I have a test script below, but the idea is that the bridge will have 2 NICs in it, eth0 connected to the computer to protect, and eth1 connected to the switch. What's happening is that the bridge works fine and the protected computer can communicate, however packets originating locally (the reason for some of the NAT rules) ultimately doesn't work its way up the IP stack. The packets hit the wire with the correctly NAT'd entries so the NAT rules appear to be working correctly, however the bridge itself doesn't seem to be processing responding packets. Originally I thought that the ARP mangling (rather than an ARP equivalent to a NAT) might be causing the issue, but entering a static entry in the arp table for a target to talk to produced the same result. Any help would be greatly appreciated! ----------------------------------- #!/bin/bash BRINT=br0 COMPINT=eth0 SWINT=eth1 COMPMAC="01:02:03:04:05:06" # change this to the mac of the bridge SWMAC="11:12:13:14:15:16" # Set this to the IP address of the computer to protect (this works best if you bring the bridge up before running this and let the computer DHCP to pull an address COMIP="192.168.1.31" # Non-routable IP for bridge that we can NAT later to $COMIP BRIP=169.254.66.66 # SNAT port range. RANGE=61000-62000 # Just verify the bridge is set up HASBRIDGE=`ifconfig | grep $BRINT | wc -l` if [ $HASBRIDGE -eq 0 ]; then brctl addbr $BRINT brctl addif $BRINT $COMPINT brctl addif $BRINT $SWINT brctl stp $BRINT off # Set the bridge to forward the EAPOL frames sysctl -w net.ipv4.ip_forward=1 > /dev/null sysctl -w net.ipv6.conf.all.forwarding=1 > /dev/null echo 8 > /sys/class/net/$BRINT/bridge/group_fwd_mask #bring up both sides of the bridge ifconfig $COMPINT 0.0.0.0 up promisc ifconfig $SWINT 0.0.0.0 up promisc # Just to only have to deal with 1 mac from eth1 and the bridge macchanger -m $SWMAC $BRINT >/dev/null fi ifconfig $BRINT $BRIP up promisc route flush 2>/dev/null route add -net 192.168.1.0/24 br0 route add default gw 192.168.1.1 ebtables -t nat --flush ebtables -t nat -A POSTROUTING -s $SWMAC -o $SWINT -j snat --to-src $COMPMAC --snat-arp arptables -t nat --flush arptables -t nat -A OUTPUT -o $BRINT --source-mac $SWMAC -j mangle --mangle-ip-s $COMIP iptables -t nat --flush iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p tcp -j SNAT --to $COMIP:$RANGE iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p udp -j SNAT --to $COMIP:$RANGE iptables -t nat -A POSTROUTING -o $BRINT -s $BRIP -p icmp -j SNAT --to $COMIP -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
