| Bridging and firewalling |
| ------------------------ |
| It is possible to use bridging in combination with firewalling. This is |
| a blatant violation of the OSI model, but it's very useful, so we don't |
| care. |
| |
| Assuming you are on a non-stone age kernel (less than 5 years old). |
| You can use the regular iptables firewalling as if you were doing |
| routing. So, rules for forwarding are added to the FORWARD chain, |
| rules for input to the local machine are added to the INPUT chain, |
| etc. Things will work like you expect them to. |
| So a rule like |
| |
| # iptables -A INPUT -i eth0 -j DROP |
| |
| will drop all traffic coming from 'eth0', even if the interface the packets |
| are logically from is, say, 'br0'. |
| |
| |
| |
| Lennert Buytenhek, November 7th 2001 |
| <buytenh@gnu.org> |
| |
| |
| |
| -------------------------- |
| Bridge+firewalling with 2.2 kernels is also possible, but deprecated. I |
| would severely recommend against using a 2.2 kernel and ipchains for bridge |
| firewalling. But if there's really a need, it's still possible. Apply the |
| extra firewalling patch available from the 'patches' section to your |
| already-patched-with-the-vanilla-bridge-patch 2.2 kernel, and recompile. Now |
| if you boot this kernel, the bridging code will check each to-be-forwarded |
| packet against the ipchains chain which has the same name as the bridge. So.. |
| if a packet on eth0 is to be forwarded to eth1, and those interfaces are |
| both part of the bridge group br0, the bridging code will check the packet |
| against the chain called 'br0'. If the chain does not exist, the packet will |
| be forwarded. So if you want to do firewalling, you'll have to create the |
| chain yourself. This is important! |