[Gllug] Iptables with bridge
Chris Bell
chrisbell at overview.demon.co.uk
Tue Jun 21 22:56:41 UTC 2005
On Tue 21 Jun, Peter Joanes wrote:
>
> On Tuesday 21 June 2005 20:09, Chris Bell wrote:
> > I can ping the box from any external box with ip address nn.nn.nn.nn if
> > the INPUT policy is DROP as long as I include the rule
> > ...
> > # iptables -A INPUT -i br0 -s nn.nn.nn.nn -j ACCEPT
> > but not if I specify a restriction on the ethernet interface as in
> > # iptables -A INPUT -i eth0 -s nn.nn.nn.nn -j ACCEPT
>
> This is because the network interface that the incoming packets 'enter' is br0
> because that is the interface that has the address assigned to it.
> The bridging operates at a different level from that of IP addresses, so the
> individual ethernet interfaces aren't relevant there (although recent kernels
> can filter through traffic with iptables rules).
> It's normal for the ethernet interfaces to be shown as 'UP', but they can't be
> given IP addresses whilst part of the bridge.
Thanks for the info, I am now installing ebtables which appears to do
what I need, including INPUT to the box itself. The bridge appears to take
the MAC address of just one interface, and that is the interface I wished to
use for admin. The only reason the bridge has an IP address is for remote
admin, and I was just trying to avoid an attack based on a spoofed IP
address hanging on the wrong interface.
--
Chris Bell
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list