From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: monitoring network question
Date: Wed, 12 Nov 2008 16:36:07 -0600 [thread overview]
Message-ID: <491B5A57.7000604@riverviewtech.net> (raw)
In-Reply-To: <491AE0C8.1080705@solutti.com.br>
On 11/12/08 07:57, Leonardo Rodrigues Magalhães wrote:
> i cannot use normal iptables -j ULOG rules, because there's no IP
> traffic flowing on the box. Traffic flowing are ethernet frames on the
> bridge.
>
> i have tried ebtables with ulog as well:
>
> ebtables -A FORWARD --ulog -j CONTINUE
>
> and then fprobe-ulog to export packets, configuration with works just
> fine with iptables ULOG, but didnt worked with ebtables ulog. Maybe i'm
> missing some ebtables rule or different target than ulog ..... this is
> the first time i've used ebtables anyway.
Have you considered enabling "Bridged NetFilter" (a.k.a. bridge-nf and
brnf)? That should allow IPTables to see the bridged ethernet frames.
If IPTables can see the frames, you should be able to do what you are
accustom to doing. At least I think.
> but .... i got a third idea on how to accomplish that. My idea, with
> this box, is to put it right in front the firewall (yes, with proper
> authorization, nothing illegal here), so i would have the whole network
> in one side of the bridge and the firewall on the other side of the
> bridge. In other words ..... several MACs which i dont know which would
> be on one side, and just a single MAC, known one, on the other side of
> the bridge.
>
> based on this, i tought on doing some arpspoof thing, having this box
> to fake arp replies to the firewall MAC address and sending it's own and
> then forwarding the frames to the real firewall.
Yuck.
IMHO this is in effect a poor mans form of Proxy ARP(ing), which is a
very poor substitute for bridging.
> i dont know how to do this and dont know neither if this setup would
> help me acchieving what i need.
I don't think it would.
Either you will be passing ethernet frames with out them passing through
the higher IP stack, or you will be doing routing which will require
modifying your network structure or some (IMHO very nasty) hacks with
policy based routing.
> well .... i would like to hear some ideas on how to acchieve my
> goals. Can anyone help me on this scenario ?
Take a look at bridged netfilter and see if it will do what you are
wanting to do.
Grant. . . .
prev parent reply other threads:[~2008-11-12 22:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-12 13:57 monitoring network question Leonardo Rodrigues Magalhães
2008-11-12 22:36 ` Grant Taylor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=491B5A57.7000604@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox