> -----Original Message----- > From: vlan-bounces@xxxxxxxxxxxxxxx > [mailto:vlan-bounces@xxxxxxxxxxxxxxx] > On Behalf Of Peter Stuge > Sent: 17 July 2006 15:46 > To: Linux 802.1Q VLAN > Subject: Re: [VLAN] Issue with Vlans and bridges > > On Fri, Jul 14, 2006 at 10:54:37PM +0100, Linux wrote: > > > Please don't send confidential email to public mailing lists. > > > > The footer is added at the mail gateway I have little control over > > it. > > Perhaps you could bring the problem to the attention of the > appropriate person in your organization? Parts of the open source > community frown heavily upon such footers for many (IMHO good) > reasons, some will even refuse to answer messages with them. E-mail is > inherently insecure, period. A footer will not change that. > Encryption and signatures may, but they cost some usability. > I do not like them either and do agree that they are well, useless. > > On to the VLAN problem, sorry for getting off topic. > > > On Sun, Jul 16, 2006 at 05:16:32PM +0100, Linux wrote: > > Basically traffic coming in on eth3, needs to go out through a > > default gateway of 192.168.20.1 through eth0 > > > > For traffic on eth3.40 I need this to route to 192.168.40.1 via > > eth0.40 > > > > If that makes sense, both are wanting to go to the same IP > > 135.166.X.Y. > > > > To make things more complex the route 192.168.20.1\40.1 is running > > the DHCP server which I need to continue to use. > > > > I need to control traffic so that they can only access certain ports > > ranges and IPs > > > > If anyone has any suggestions on how this would be possible, I would > > be grateful. > > Now we're getting somewhere. But still missing some details. > > eth0: 192.168.20.0/24 > eth0.40: 192.168.40.0/24 > > eth3: what IP net? > eth3.40: what IP net? > At the moment they are the same as eth0 as they are bridged. > > If you want to use the same IP net on more than one interface you have > to make a bridge. > > If you want to control bridged traffic you can use either ebtables or > iptables. Bridged traffic passes through the iptables FORWARD chain > with input-interface and output-interface both set to the bridge. I do see the outward going packets in iptables the reason I don't see the return I think is due to it been the return of a packet that has already been allowed through. I am going to try doing some filtering on what is and is not allowed tomorrow morning to see what happens. > If you want to make traffic that comes in on a bridge not be bridged > by Linux but instead be routed by Linux you have to use at least one > ebtables rule to DROP that traffic in the BROUTE ebtable as said > earlier. I can't say yet if you need this. > At the moment I require one DROP rule to make packets go through the VLAN bridge. If traffic goes from the switch to the bridge then to the router it works fine, if traffic goes from the router to the bridge then to the switch I need the DROP rule, I do not know if this is due to a setting in the switch or the router which I why I only need a rule one way. > > Both 192.168.20.1 and 192.168.40.1 are routers of some sort. Will both > work as default gateway and you just want to decide between them only > based on incoming source interface, or is the routing more complex? They are both the same router just in different VLANS, in the current set-up the DHCP server hands them out as the default gateway due to the bridge configuration. The routing is not that complex, everything from the 192.168.40.x range should go to the 40.1 gateway and 182.168.20.x should go to the 20.1 gateway. It does get a bit more complex in that there will also be eth2 and eth2:40 which need to route the traffic as well just be isolated from eth3 and eth3:40. I am not thinking if I can control the traffic using iptables for the bridges, is what 2, three way bridges linking the three NICs eth0, eth2 and eth3, then use iptables to control what can access what. I then need to tell the bridge that any traffic for the 172.22/255.255.240.0 range not to be bridged but to go to the routing table, so it flows out of eth1, with iptables again controlling the traffic, I think I can do this with correctly placed ebtables rules. Adam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. http://www.mettoni.com **********************************************************************
