bridge firewall and iptables.

Linux Netfilter discussions
 help / color / mirror / Atom feed

* bridge firewall and iptables.
@ 2008-03-04 11:38 Andrea Bencini
  2008-03-04 12:41 ` Eric Estes
  0 siblings, 1 reply; 7+ messages in thread
From: Andrea Bencini @ 2008-03-04 11:38 UTC (permalink / raw)
  To: netfilter

I have a bridge firewall with dhcp server.

I want that only internal-network clients (eth1-bridge side) can use 
dhcp-server (client asks to dhcp-server IP address etc...) and
I want to stop every DHCPDISCOVER-DHCPOFFER-DHCPREQUEST-DHCPACK etc.. 
from/to local-network clients (eth0-bridge side).

How can I put in practise some rules in my bridge firewall (iptables) to do 
this?

I installed FC8;
iptables-1.3.8-6.fc8

My global network:10.100.0.0/24

Internal-network address range (eth1-bridge side) :from 10.100.0.65 to 
10.100.0.78 (I think I can write 10.100.0.64/28).

dhcp configuration: range dynamic-bootp 10.100.0.65 10.100.0.78

ifcfg-eth0 configuration:
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:50:8B:67:82:6F
ONBOOT=yes

ifcfg-eth1 configuration:
DEVICE=eth1
BOOTPROTO=static
HWADDR=00:50:8B:67:68:A4
ONBOOT=yes

Bridge configuration:
brctl addbr br0
brctl addif eth0
brctl addif eth1
ifdown br0
ifconfig br0 10.100.0.55 netmask 255.255.255.0
ifup br0

Can you help me?

Thanks
Andrea 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: bridge firewall and iptables.
  2008-03-04 11:38 bridge firewall and iptables Andrea Bencini
@ 2008-03-04 12:41 ` Eric Estes
  2008-03-04 13:08   ` Eric Estes
  2008-03-04 14:04   ` Andrea Bencini
  0 siblings, 2 replies; 7+ messages in thread
From: Eric Estes @ 2008-03-04 12:41 UTC (permalink / raw)
  To: netfilter

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of Andrea Bencini
> Sent: Tuesday, March 04, 2008 6:38 AM
> To: netfilter@vger.kernel.org
> Subject: bridge firewall and iptables.
> 
> I have a bridge firewall with dhcp server.
> 
> I want that only internal-network clients (eth1-bridge side) can use
> dhcp-server (client asks to dhcp-server IP address etc...) and
> I want to stop every DHCPDISCOVER-DHCPOFFER-DHCPREQUEST-DHCPACK etc..
> from/to local-network clients (eth0-bridge side).
> 
> How can I put in practise some rules in my bridge firewall (iptables)
to
> do
> this?
> 
> I installed FC8;
> iptables-1.3.8-6.fc8
> 
> My global network:10.100.0.0/24
> 
> Internal-network address range (eth1-bridge side) :from 10.100.0.65 to
> 10.100.0.78 (I think I can write 10.100.0.64/28).
> 
> dhcp configuration: range dynamic-bootp 10.100.0.65 10.100.0.78
> 
> ifcfg-eth0 configuration:
> DEVICE=eth0
> BOOTPROTO=static
> HWADDR=00:50:8B:67:82:6F
> ONBOOT=yes
> 
> ifcfg-eth1 configuration:
> DEVICE=eth1
> BOOTPROTO=static
> HWADDR=00:50:8B:67:68:A4
> ONBOOT=yes
> 
> Bridge configuration:
> brctl addbr br0
> brctl addif eth0
> brctl addif eth1
> ifdown br0
> ifconfig br0 10.100.0.55 netmask 255.255.255.0
> ifup br0
> 
> Can you help me?
> 
> Thanks
> Andrea
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"
in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



I have a similar setup and I ended up using ebtables to take care of
that.

ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol udp
--ip-source-port 67:68 -j DROP
ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol udp
--ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
udp --ip-source-port 67:68 -j DROP

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: bridge firewall and iptables.
  2008-03-04 12:41 ` Eric Estes
@ 2008-03-04 13:08   ` Eric Estes
  2008-03-04 14:04   ` Andrea Bencini
  1 sibling, 0 replies; 7+ messages in thread
From: Eric Estes @ 2008-03-04 13:08 UTC (permalink / raw)
  To: netfilter

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of Eric Estes
> Sent: Tuesday, March 04, 2008 7:42 AM
> To: netfilter@vger.kernel.org
> Subject: RE: bridge firewall and iptables.
> 
> > -----Original Message-----
> > From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> > owner@vger.kernel.org] On Behalf Of Andrea Bencini
> > Sent: Tuesday, March 04, 2008 6:38 AM
> > To: netfilter@vger.kernel.org
> > Subject: bridge firewall and iptables.
> >
> > I have a bridge firewall with dhcp server.
> >
> > I want that only internal-network clients (eth1-bridge side) can use
> > dhcp-server (client asks to dhcp-server IP address etc...) and
> > I want to stop every DHCPDISCOVER-DHCPOFFER-DHCPREQUEST-DHCPACK
etc..
> > from/to local-network clients (eth0-bridge side).
> >
> > How can I put in practise some rules in my bridge firewall
(iptables)
> to
> > do
> > this?
> >
> > I installed FC8;
> > iptables-1.3.8-6.fc8
> >
> > My global network:10.100.0.0/24
> >
> > Internal-network address range (eth1-bridge side) :from 10.100.0.65
to
> > 10.100.0.78 (I think I can write 10.100.0.64/28).
> >
> > dhcp configuration: range dynamic-bootp 10.100.0.65 10.100.0.78
> >
> > ifcfg-eth0 configuration:
> > DEVICE=eth0
> > BOOTPROTO=static
> > HWADDR=00:50:8B:67:82:6F
> > ONBOOT=yes
> >
> > ifcfg-eth1 configuration:
> > DEVICE=eth1
> > BOOTPROTO=static
> > HWADDR=00:50:8B:67:68:A4
> > ONBOOT=yes
> >
> > Bridge configuration:
> > brctl addbr br0
> > brctl addif eth0
> > brctl addif eth1
> > ifdown br0
> > ifconfig br0 10.100.0.55 netmask 255.255.255.0
> > ifup br0
> >
> > Can you help me?
> >
> > Thanks
> > Andrea
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter"
> in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 
> I have a similar setup and I ended up using ebtables to take care of
> that.
> 
> ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol
udp
> --ip-source-port 67:68 -j DROP
> ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol
udp
> --ip-destination-port 67:68 -j DROP
> ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
> udp --ip-destination-port 67:68 -j DROP
> ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
> udp --ip-source-port 67:68 -j DROP
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter"
in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


I don't know what happened to my formatting but I'll try again.

ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol udp
--ip-source-port 67:68 -j DROP

ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol udp
--ip-destination-port 67:68 -j DROP

ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
udp --ip-destination-port 67:68 -j DROP

ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
udp --ip-source-port 67:68 -j DROP


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: bridge firewall and iptables.
  2008-03-04 12:41 ` Eric Estes
  2008-03-04 13:08   ` Eric Estes
@ 2008-03-04 14:04   ` Andrea Bencini
  2008-03-04 14:17     ` Eric Estes
  1 sibling, 1 reply; 7+ messages in thread
From: Andrea Bencini @ 2008-03-04 14:04 UTC (permalink / raw)
  To: netfilter; +Cc: Eric Estes

> I have a similar setup and I ended up using ebtables to take care of
> that.
>
> ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol udp
> --ip-source-port 67:68 -j DROP
> ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol udp
> --ip-destination-port 67:68 -j DROP
> ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
> udp --ip-destination-port 67:68 -j DROP
> ebtables -A FORWARD --in-interface eth0 --protocol ipv4 --ip-protocol
> udp --ip-source-port 67:68 -j DROP

Can you tell me where I can put those rules? In which configuration file and 
directory?
Thanks
Andrea 


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: bridge firewall and iptables.
  2008-03-04 14:04   ` Andrea Bencini
@ 2008-03-04 14:17     ` Eric Estes
  2008-03-04 15:22       ` Andrea Bencini
  0 siblings, 1 reply; 7+ messages in thread
From: Eric Estes @ 2008-03-04 14:17 UTC (permalink / raw)
  To: netfilter; +Cc: Andrea Bencini


> -----Original Message-----
> From: Andrea Bencini [mailto:andrea.bencini@tin.it]
> Sent: Tuesday, March 04, 2008 9:04 AM
> To: netfilter@vger.kernel.org
> Cc: Eric Estes
> Subject: Re: bridge firewall and iptables.
> 
> > I have a similar setup and I ended up using ebtables to take care of
> > that.
> >
> > ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol
udp
> > --ip-source-port 67:68 -j DROP
> > ebtables -A INPUT --in-interface eth0 --protocol ipv4 --ip-protocol
udp
> > --ip-destination-port 67:68 -j DROP
> > ebtables -A FORWARD --in-interface eth0 --protocol ipv4
--ip-protocol
> > udp --ip-destination-port 67:68 -j DROP
> > ebtables -A FORWARD --in-interface eth0 --protocol ipv4
--ip-protocol
> > udp --ip-source-port 67:68 -j DROP
> 
> Can you tell me where I can put those rules? In which configuration
file
> and
> directory?
> Thanks
> Andrea
> 

I just created a script that I run at startup.

http://forum.openwrt.org/viewtopic.php?pid=31952

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: bridge firewall and iptables.
  2008-03-04 14:17     ` Eric Estes
@ 2008-03-04 15:22       ` Andrea Bencini
  2008-03-04 15:36         ` Eric Estes
  0 siblings, 1 reply; 7+ messages in thread
From: Andrea Bencini @ 2008-03-04 15:22 UTC (permalink / raw)
  To: netfilter; +Cc: Eric Estes

> I just created a script that I run at startup.
>
> http://forum.openwrt.org/viewtopic.php?pid=31952

Sorry, but I don't found your script at 
http://forum.openwrt.org/viewtopic.php?pid=31952.
Andrea



^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: bridge firewall and iptables.
  2008-03-04 15:22       ` Andrea Bencini
@ 2008-03-04 15:36         ` Eric Estes
  0 siblings, 0 replies; 7+ messages in thread
From: Eric Estes @ 2008-03-04 15:36 UTC (permalink / raw)
  To: netfilter; +Cc: Andrea Bencini

> -----Original Message-----
> From: Andrea Bencini [mailto:andrea.bencini@tin.it]
> Sent: Tuesday, March 04, 2008 10:22 AM
> To: netfilter@vger.kernel.org
> Cc: Eric Estes
> Subject: Re: bridge firewall and iptables.
> 
> > I just created a script that I run at startup.
> >
> > http://forum.openwrt.org/viewtopic.php?pid=31952
> 
> Sorry, but I don't found your script at
> http://forum.openwrt.org/viewtopic.php?pid=31952.
> Andrea
> 
> 

I don't know if I put it in the right spot but I just pasted those line
in my rc.local file.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2008-03-04 15:36 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-03-04 11:38 bridge firewall and iptables Andrea Bencini
2008-03-04 12:41 ` Eric Estes
2008-03-04 13:08   ` Eric Estes
2008-03-04 14:04   ` Andrea Bencini
2008-03-04 14:17     ` Eric Estes
2008-03-04 15:22       ` Andrea Bencini
2008-03-04 15:36         ` Eric Estes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox