Hello ALL! I am trying to make firewalling bridge for several VLANs. No problems with iptables on simple bridge, but I must pass tagged frames and must apply different access rules to each VLAN. My aim is to make virtual invisible firewalls for each VLAN, like Lucent Brick firewall.
Stage 1. Setting up bridge. -------- I pass tagged (802.1q) and non-tagged (Ethernet_II) frames through my Linux bridge between Cisco Catalyst switch and another Linux box with same VLAN support. Iptables rules are matched properly when they applied to untagged packets on br0 device - I can see it by tcpdump -n -i br0 and by iptables -L -v at FORWARD chain. This stage is ok. Stage 2. Adding VLANs to bridge. -------- When VLAN interface was configured and applied to br0, I can see VLAN-tagged packets on bridge by tcpdump -n -i br0.169 (in my case br0.169 is VLAN 169 on br0 bridging interface). Packets in VLAN 169 was generated by ping from standalone Linux through my Linux bridge to hosts behind switch. Now I just try to block any icmp traffic by iptables -I FORWARD -p icmp -i br0.169 -j ACCEPT. But no any packets was not matched by iptables on br0.169. Counters of this rule still always on zero. At same time iptables on standalone Linux box works properly with INPUT and OUTPUT chains on his eth0.169 VLAN interface. Stage fail :-[ What's wrong? Any suggestions? My settings on Linux bridge with 2 ethernet cards: kernel-2.4.18 patched by bridge-nf-0.0.7-against-2.4.18.diff � <*> 802.1Q VLAN Support (EXPERIMENTAL) ... � <*> 802.1d Ethernet Bridging � [*] netfilter (firewalling) support iptables-1.2.6a vconfig-1.6 bridge-utils-0.9.5 Bridge setup script: echo Setting up bridge br0 brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl stp br0 off echo Setting up 802.1Q VLAN No.169 vconfig set_name_type DEV_PLUS_VID_NO_PAD vconfig add br0 169 vconfig add eth0 169 vconfig add eth1 169 vconfig set_flag br0.169 1 echo Stand up physical interfaces eth0 and eth1 ifconfig eth0 up ifconfig eth1 up echo Stand up bridge interface br0 ifconfig br0 up echo Stand up vlan169 interface ifconfig br0.169 up No any errors when setting VLANs on bridge. Thank you for your time in advance! -- Best regards, Nick Fedchik FNM3-RIPE mailto:[EMAIL PROTECTED]
