Misterke a écrit : > > Client B however is a Digital TV box and my triple-play provider > unfortunately requires those to be directly connected to the cable > modem, which will hand them actually a DHCP address in a particular > range and probably do other special stuff. Does it use VLAN tagging (IEEE 802.1q) or plain ethernet ? > So, what I would like the RPi2 to do is: > - For ethernet frames TO or FROM specific MAC adresses (those of > clients of type B) on its eth1 side, just pass them on from/to eth0 > - For anything else, behave like a router and have iptables rules > dictate what is allowed and when outputting to the eth0-side do > NAT/masquerading What about broadcast packets such as ARP requests or DHCP replies sent by the cable modem ? How do you decide if they should be bridged ? > * -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT ICMP source quench is deprecated and considered harmful. > But I also have additional questions: > - To act as a router, I need IP addresses at both sides of the > bridge. At the eth0 side, that should > be a DHCP address coming from the cable modem, but at the other end > it should be a static address. > Now, in the previous simple bridge setup, I already had the bridge > get a DHCP address and I could > even add a second static address to br0, but then those addresses > would exist at both ends of the > bridge, right? So, should I then create ebtables/iptables rules > somehow to avoid that someone > would notice the internal IP address on the internet and vice > versa? > - Next to that, when running dnsmasq to hand out DHCP addresses, I of > course don't want it to start > offering addresses to the Internet side of the bridge. So, either > I somehow need to tell dnsmasq > to only work on the LAN side (eth1) or perhaps I would again have > to somehow limit this with > ebtables/iptables. > > Any advice from anyone on all this? My advice is to not use br0 but only eth0 and eth1 for IP setup, DHCP, routing and so on. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
