Questions Tagged With bridge

bridge drops fragmented packets

chiragpatwari — Wed, 13 Aug 2014 05:24:40 -0400

We have got a problem with kernel 3.4.56 as it does not forward fragmented packets on a bridge.

We are using bridge to connect Wi-fi interface wlan0 and Ethernet interface eth1.

The command "echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables" give then ping 192.168.3.56 -s 2100 is working fine but when The command "echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables" give then This is not working.

Two virtual networks over one LAN?

MisterK — Wed, 14 Nov 2012 02:37:34 -0500

My home-network is somewhat complex. I have a cable-modem which via a switch is connected to my router/firewall for serving internet to my actual LAN, but the same switch also connects via powerlan several set-top-boxes to the same cable-modem. This means that near some TVs I have two powerlan adapters, one serving the needed connection to the set-top-box and another giving internet access to PS3, Wii, XBox, ...

The cable-modem itself gives different IP addresses based on the MAC address of the client. As such the set-top-boxes get a 10.x.x.x address and other clients (my Linux firewall) get actual global internet addresses. So, there are already two IP ranges going over the same network at the end of the cable-modem, but since I'm not sure of the safety of that part of the network (read: I don't trust the cable company), I want the rest of my network behind the Linux firewall ...

So, to finally come to the question: is there a way to have the cable-modem connect directly to my Linux firewall (so getting rid of the switch inbetween) and then have the Linux firewall pass traffic for the set-top-boxes (so specific MAC addresses) as-is to the LAN, including that those devices would then get a DHCP address directly from the cable-modem (through the Linux "bridge"), while at the same time for all other devices in the LAN the Linux firewall actually acts as firewall, proxy, dhcp server, etc. giving out 192.168.0.x addresses and having itself one single real internet address which it gets via DHCP from the cable-mode?

If I setup a bridge between WAN and LAN, I assume I can still filter on that bridge via iptables, but can I run a dhcp client on one end of the bridge and a dhcp server on the other? If so, how? Anyone able to give me a clear description on how to get something like this up? I'm going to run Ubuntu Server on the firewall (which also acts as home-server and controller for my solar-panels, so a full-fledged Linux is wanted), but if I can get general instructions to get me on the road, I probably can figure out the Ubuntu specifics myself...

Thanks in advance, K

Shorewall bridge port 443

aom — Sun, 27 Feb 2011 07:13:16 -0500

how create rule for Shorewall for bridge port 443 from eth0 to eth1

thank you.

iptables firewall problem openvpn bridged

Grobi — Fri, 09 Jul 2010 17:10:05 -0400

Hi, i think i got some probs with my iptables firewall, my setup is i got a pc (debian installed) with 2 ethernetcard, eth0 connected to my lan(192.168.1.0/24) eth1 for internet connection (ppp0) I have an openvpn server on that pc in bridged mode, the vpn clients can connect but can't ping the server or any other pc on my lan and the server or my lan pcs can't ping the clients. The bridge is setup correctly and the setup of the openvpn server looks right and the clients got an ip from my lan and a route to it so routing looks fine, problem must be the iptables firewall. The requierements for the firewall are : my Lan can do anything except receiving or posting windows shares, netbios etc over the internet or vpn the vpn clients can do anything except receiving or posting windows shares, netbios etc over the vpn and they can not access the internet over the vpn.

Please if someone could have a look at my script?

Heres the interesting part of my firewall script:



The iptables command. Shorter and sure

ipt="/sbin/iptables"

The network interface

ifLan=eth0
ifWan=ppp0
ifVpnB=br0
ifVpn=tap+

VPN_PORT=1195

FIREWALL STOP

...

FIREWALL START/RELOAD/RESTART

echo "Building firewall..."

Modules

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ipt_LOG
modprobe iptable_nat
modprobe iptable_filter

Flush current rules.

$ipt -F INPUT
$ipt -F OUTPUT
$ipt -F FORWARD
$ipt -t nat -F PREROUTING
$ipt -t nat -F POSTROUTING
$ipt -t nat -F OUTPUT
$ipt -F
$ipt -X

Set default policies

$ipt --policy INPUT DROP
$ipt --policy OUTPUT ACCEPT
$ipt --policy FORWARD DROP
$ipt -t nat --policy PREROUTING ACCEPT
$ipt -t nat --policy POSTROUTING ACCEPT

SYN flood protection

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

LOOPBACK

echo "Setting LOOPBACK rules"
$ipt -A INPUT -i lo -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT

WAN

echo "Setting WAN rules"
$ipt -A INPUT -i $ifWan -p udp --dport $VPN_PORT -m state --state NEW -j ACCEPT
$ipt -A INPUT -p tcp --dport 137:139 -i $ifWan -j DROP
$ipt -A INPUT -p udp --dport 137:139 -i $ifWan -j DROP
$ipt -A INPUT -p tcp --dport 445 -i $ifWan -j DROP
$ipt -A INPUT -p udp --dport 445 -i $ifWan -j DROP
$ipt -A INPUT -i $ifWan -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A OUTPUT -p tcp --dport 137:139 -o $ifWan -j DROP
$ipt -A OUTPUT -p udp --dport 137:139 -o $ifWan -j DROP
$ipt -A OUTPUT -p tcp --dport 445 -o $ifWan -j DROP
$ipt -A OUTPUT -p udp --dport 445 -o $ifWan -j DROP
$ipt -A OUTPUT -o $ifWan -j ACCEPT

$ipt -A FORWARD -p tcp --dport 137:139 -o $ifWan -j DROP
$ipt -A FORWARD -p udp --dport 137:139 -o $ifWan -j DROP
$ipt -A FORWARD -p tcp --dport 445 -o $ifWan -j DROP
$ipt -A FORWARD -p udp --dport 445 -o $ifWan -j DROP

$ipt -A FORWARD -i $ifWan -o $ifLan -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $ifWan -o $ifVpnB -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $ifWan -o $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT

VPN

echo "Setting VPN rules"
$ipt -A INPUT -i $ifVpn -m state --state ESTABLISHED,RELATED -j ACCEPT

$ipt -A OUTPUT -o $ifVpn -j ACCEPT

$ipt -A FORWARD -i $ifVpn -o $ifLan -j ACCEPT
$ipt -A FORWARD -i $ifVpn -o $ifWan -j ACCEPT
$ipt -A FORWARD -i $ifVpn -o $ifVpnB -j ACCEPT

BRIDGE

echo "Setting BRIDGE rules"
$ipt -A INPUT -i $ifVpnB -j ACCEPT 

$ipt -A OUTPUT -o $ifVpnB -j ACCEPT 

$ipt -A FORWARD -i $ifVpnB -o $ifWan -j ACCEPT
$ipt -A FORWARD -i $ifVpnB -o $ifLan -j ACCEPT
$ipt -A FORWARD -i $ifVpnB -o $ifVpn -j ACCEPT

LAN

echo "Setting LAN rules"
$ipt -A INPUT -i $ifLan -j ACCEPT 

$ipt -A OUTPUT -o $ifLan -j ACCEPT

$ipt -A FORWARD -i $ifLan -o $ifWan -j ACCEPT
$ipt -A FORWARD -i $ifLan -o $ifVpnB -j ACCEPT
$ipt -A FORWARD -i $ifLan -o $ifVpn -j ACCEPT

Portforwarding

...

Masquerading

$ipt -t nat -A POSTROUTING -j MASQUERADE echo "Done!"

thx Grobi

Bridge firewall with iptables; how do i block incoming traffic except for specified ports, and allow outgoing traffic?

Zyprexa — Sun, 02 May 2010 20:15:10 -0400

Im having problems with iptables not doing what i want :(

I have a Ubuntu computer set up as bridge between gateway and lan, with the lan connected to eth0 and eth1 connected to gateway.

I'm trying to get it to basically block everything incoming except for the ports i specify (www, smtp ++), but also allow outgoing traffic. I've found, tried, modified some examples i found on the web, but still it wont block incoming traffic (ie, im still able to reach my webserver)

These are the rules im running now, and i can't figure out why it wont block incoming:

#!/bin/bash

iptables -F
iptables -X

iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth0 -j DROP
iptables -I OUTPUT -o eth1 -j REJECT
iptables -I OUTPUT -o eth0 -j REJECT

# connection tracking (not entirely sure what this does, but tutorial said it was needed)
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow outgoing traffic
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# allow ping
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT
# stop incoming
iptables -A FORWARD -i eth1 -o eth0 -j REJECT

iptables -S gives me

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
-A INPUT -i eth1 -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o eth1 -j REJECT --reject-with icmp-port-unreachable

Any advice on what im doing wrong is appreciated :(