* ebtables without bridge
@ 2009-01-30 22:32 Michail Zhilkin
2009-01-31 10:11 ` Pascal Hambourg
0 siblings, 1 reply; 2+ messages in thread
From: Michail Zhilkin @ 2009-01-30 22:32 UTC (permalink / raw)
To: netfilter
Hi ALL!
I have a box running Fedora 9 Linux with kernel 2.6.26.3 SMP x86_64.
All necessary Netfilter kernel modules are compiled and loaded.
I have no bridge interfaces at all, only one physical Ethernet card.
Is it possible to filter incoming and outgoing Layer2 traffic using
ebtables in this case?
I tried to load simple rules to test ebtables firewall:
[root@space]# ebtables -P INPUT DROP
[root@space]# ebtables -P OUTPUT DROP
[root@space]# ebtables -P FORWARD DROP
[root@space]# ebtables -L --Ln
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: DROP
Bridge chain: FORWARD, entries: 0, policy: DROP
Bridge chain: OUTPUT, entries: 0, policy: DROP
All traffic should be blocked, but I can send and receive everything...
f.e. can ping hosts in my LAN, make connections and so on.
I tried also to set up some rules like: ebtables -A INPUT -i eth0 -j DROP
but they have the same effect!
What is wrong? Are ebtables really designed for bridges only?
If so, what cat I do?
I would like to drop all Layer2 traffic except
Ethernet frames with IPv4 and ARP protocols. In addition, i need only
allow frames with my MAC-address (incoming and outgoing, i.e. locally
generated).
The second is possible using iptables firewall (with -m mac), but only for
INCOMING frames, not outgoing.
---
Mike.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ebtables without bridge
2009-01-30 22:32 ebtables without bridge Michail Zhilkin
@ 2009-01-31 10:11 ` Pascal Hambourg
0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2009-01-31 10:11 UTC (permalink / raw)
To: netfilter
Hello,
Michail Zhilkin a écrit :
>
> I have no bridge interfaces at all, only one physical Ethernet card.
>
> Is it possible to filter incoming and outgoing Layer2 traffic using
> ebtables in this case?
No. ebtables rules work only on bridges.
> I tried to load simple rules to test ebtables firewall:
>
> [root@space]# ebtables -P INPUT DROP
> [root@space]# ebtables -P OUTPUT DROP
> [root@space]# ebtables -P FORWARD DROP
[...]
> All traffic should be blocked, but I can send and receive everything...
[...]
> What is wrong? Are ebtables really designed for bridges only?
Yes.
> If so, what cat I do?
You can create a bridge and add the ethernet interface to it.
> I would like to drop all Layer2 traffic except Ethernet frames with IPv4
> and ARP protocols.
May I ask why ? If you enable only IPv4 support the networking stack
won't accept or send packets with ethertypes other than IPv4 and ARP.
> In addition, i need only allow frames with my
> MAC-address (incoming and outgoing, i.e. locally generated).
An ethernet interface accepts only packets sent to its own MAC address
or the broadcast address anyway, unless you set it in promiscuous mode
or use some multicast.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-01-31 10:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-30 22:32 ebtables without bridge Michail Zhilkin
2009-01-31 10:11 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox