From: "René Gallati" <draxinusom@gmail.com>
To: Steve Comfort <steve@4dllc.com>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Setup for an Access Point
Date: Mon, 6 Sep 2004 16:45:18 +0200 [thread overview]
Message-ID: <50f03b9704090607451c40e39f@mail.gmail.com> (raw)
In-Reply-To: <413C6A02.7020504@4Dllc.com>
On Mon, 06 Sep 2004 15:45:38 +0200, Steve Comfort <steve@4dllc.com> wrote:
> Hi All,
>
> Could anyone perhaps suggest a script to use in conjunction with a
> bridge (ebtables/iptables combination)? I am trying (unsuccessfully) to
> firewall a linux access point with one wlan and one eth interface...
You need to allow forwarding "between" the bridge and for filtering
"inside" the bridge you'll need physdev-in and physdev-out instead of
-i and -o.
As an example:
# allow forwarding between the interfaces in the bridge but only for ports > 100
BRIDGE_IF=br0
$IPTABLES -A FORWARD -p TCP -i $BRIDGE_IF -o $BRIDGE_IF --dport 1:100 -j DROP
$IPTABLES -A FORWARD -p UDP -i $BRIDGE_IF -o $BRIDGE_IF --dport 1:100 -j DROP
$IPTABLES -A FORWARD -p ALL -i $BRIDGE_IF -o $BRIDGE_IF -j ACCEPT
## at this point, all traffic between ALL the interface in the bridge can be
## forwarded, except for udp and tcp connections going to a
## port <= 100 (just an example, you don't need to include that :) )
## now some further restrictions. All interfaces following must have
## been added using brctl addif to the bridge
## for the example, assume the ifs eth1, ath0 and tap0 are in the bridge
# if coming from device tap0 (VPN) don't allow to go to ath0 (WLAN)
## make new chain
$IPTABLES -N fromtap
## if coming from tap0 jump to chain fromtap
$IPTABLES -A FORWARD -m physdev --physdev-in tap0 -j fromtap
## if going to device ath0, drop
$IPTABLES -A fromtap -m physdev --physdev-out ath0 -j DROP
## if going to device eth0, allow
$IPTABLES -A fromtap -m physdev --physdev-out eth0 -j ACCEPT
## drop everything else
$IPTABLES -A fromtap -j DROP
Of course you can use all other matches that are valid. The important
thing is that generic forwarding of the bridge is allowed (FORWARD -i
bridge -o bridge) and that you need to filter on devices that are *in*
the bridge using physdev. When in doubt, add -j LOG at the end of your
Chains and look what gets logged before (hopefully) the default policy
drop.
Hope that helps
--
C U
- -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
prev parent reply other threads:[~2004-09-06 14:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-06 13:45 Setup for an Access Point Steve Comfort
2004-09-06 14:45 ` René Gallati [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50f03b9704090607451c40e39f@mail.gmail.com \
--to=draxinusom@gmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=steve@4dllc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.