Hello Paul,
I am also newly registered. I do think that I have the above subject covered,
but I might be mistaken. I have 2 bridge instances (br0 and br1) -
external link and internal link respectively. Here are the rules I used in my
Debian Sarge machine -
IPT="/sbin/iptables"
EBT="/sbin/ebtables"
EXTIF="br1"
# Firewall start, the basics....
# __________________________________________________________
# Lets Lockdown this machine and then open up the required services
$EBT -A FORWARD -p IPv4 -j ACCEPT
$EBT -A FORWARD -p ARP -j ACCEPT
$EBT -A INPUT -p IPv4 -j ACCEPT
$EBT -A INPUT -p ARP -j ACCEPT
$EBT -A OUTPUT -p IPv4 -j ACCEPT
$EBT -A OUTPUT -p ARP -j ACCEPT
-------<cut>-----
$EBT -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80
-j redirect --redirect-target ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport 3128
-j DROP
$IPT -t nat -A PREROUTING -p tcp --dport www -m iprange --src-range $INTNWRANGE
-j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp -i ${EXTIF%[0-9]}+ --dport 3128
-m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp -o ${EXTIF%[0-9]}+ --sport 3128
-m state --state ESTABLISHED -j ACCEPT
Two additional things that I would like to point out... I did add IP addresses
to both of my brX's but in your case try add an IP address to your br0.
It seems that when you run services on the machine with bridging on the device
you are going through that you need to give an IP address on that device
otherwise it just plainly doesn't work - well I didn't get it right anyway. I
am doing the same for SMTP and FTP and it seems to work fine. I was hoping,
after my other post, to ask an aditional question about the having only an IP
address on my WAN side and service my LAN through the internal bridge with
proxy-arp on... so that I can set the gateway of my LAN to the WAN address or a
machine another hop beyound it.
--
Kind Regards
Etienne
_______________________________________________
Bridge mailing list
[email protected]
https://lists.osdl.org/mailman/listinfo/bridge
