Re: Bridging and iptables/ebtables

[Cedric Blancher <blancher () cartel-securite fr>]

Le mer 25/02/2004 à 20:54, David Goldsmith a écrit :
> I've reloaded the honeynet using RedHat 9 and have compiled a newer
> 2.4.2x kernel.  I've grabbed the correct ebtables-brnf-3_vs_2.4.x.diff
> patch and applied it to the kernel.  Bridging works but iptables is not
> filtering anything.

That's strange.
Have you try to match some traffic within FORWARD chain with LOG target
to debug ?

> Am I missing some simple like needing to force the loading of one of the
> newer bridge modules or do I have to use the ebtables user-space tool
> either in place of or to supplement iptables?

ebtables is supplement to iptables.
When you use your Linux box as a bridge with ebtables-brnf patch,
iptables will allow you to filter IPv4 packets inside forwarded frames,
and nothing else. ebtables is a L2 filter that allow you to filter any
forwarded frame based on its L2 and L3 headers. You can also filter
different kind of frames such as ethernet, 802.1q or 802.1d.

Suppose you activate a bridge and just filter using iptables. Than
anything that is not IPv4 will cross your bridge unfiltered, such as
IPX, NetBEUI, IPv6, etc. This quite bad to me. ebtables allows you to
restrict forwarded traffic based on ethernet protocol field.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!