RE: [Bridge] bridge forward issue

[Reed Wiedower]

Title: RE: [Bridge] bridge forward issue

Yeah, even if I set the default policy for the entire FORWARD chain to be DROP, it doesn't record any packets traversing it. I just tried your method and it, too, didn't record any

 

In October, someone suggested a link to paper written by the guy who's in charge of ebtables, but the paper itself didn't describe any particular solutions to this problem.

 

 

Chain INPUT (policy ACCEPT 1146 packets, 114630 bytes)
    pkts      bytes target     prot opt in     out     source               destination

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       icmp --  any    any     anywhere             anywhere

 

Chain OUTPUT (policy ACCEPT 1432 packets, 99730 bytes)
    pkts      bytes target     prot opt in     out     source               destination

No traffic of any kind.

Thoughts?

 

eol,

 

Reed

reed wiedower
[EMAIL PROTECTED]
peyser.com
202.638.3730x115

-----Original Message-----
From: Bob McDowell [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 4:18 PM
To: Reed Wiedower
Subject: RE: [Bridge] bridge forward issue

Can you set a 'DROP' rule for some type of traffic on the 'FORWARD' chain and test to see that dropping works?  E.g.:

A <---> Firewall/Bridge <---> C

iptables -A FORWARD -p icmp -j DROP

then from A - ping C
and from C - ping A

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Reed Wiedower
Sent: Thursday, January 09, 2003 2:46 PM
To: '[EMAIL PROTECTED]'
Subject: [Bridge] bridge forward issue

I recently rolled a custom kernel after applying the bridge patch, and setup
an ethernet bridge on my network between the LAN and the router. So far, so
good. All the clients can get to the router and vice-versa, so I was ready
to begin implementing some firewall rules through iptables.

When I look through iptables, however, I'm confused by the output. It shows
a great deal of packets traversing the INPUT and OUTPUT chains, but none
crossing the FORWARD chain. Since the box itself isn't running any services,
I assumed that all of the packets being sent from our LAN out to the router
would traverse the FORWARD chain, and so I'd need to edit that through
iptables.

1) Am I wrong about which chain the packets are traversing? Curiously, even
the total number of packets crossing the wire seems far lower in iptables
than when I query ifconfig.

2) If the FORWARD chain isn't showing any packets across it, is my bridge
improperly functioning? I suspect that the issue is with iptables rather
than the bridging portion of things, but I wan't to eliminate any variables.

Thanks for any help anyone can provide!

eol,

Reed Wiedower

reed wiedower
[EMAIL PROTECTED]
peyser.com
202.638.3730x115

_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge