diff options
| author | buytenh <buytenh> | 2001-11-07 17:17:05 +0000 |
|---|---|---|
| committer | buytenh <buytenh> | 2001-11-07 17:17:05 +0000 |
| commit | d2b9c68a0b41377de5322b1a648ec0491d2aab3d (patch) | |
| tree | f38f35b2641c19cc97d2e54e6b14e2da4f805da8 | |
| parent | 35a7dca7af9ab48bca94f0094e9ec810a712977b (diff) | |
| download | bridge-utils-d2b9c68a0b41377de5322b1a648ec0491d2aab3d.tar.gz | |
obsolete
| -rw-r--r-- | doc/FIREWALL.IPTABLES | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/doc/FIREWALL.IPTABLES b/doc/FIREWALL.IPTABLES deleted file mode 100644 index 7302c98..0000000 --- a/doc/FIREWALL.IPTABLES +++ /dev/null @@ -1,56 +0,0 @@ -This document is out of date. - - ---- -It is now possible to use iptables to firewall on bridge -forwarding. It works mostly like the 2.2 patch, but with this -difference that the packets are just passed to the 'main' chains. - -As of current, the bridge calls into the PRE_ROUTING, FORWARD, and -POST_ROUTING netfilter ipv4 hooks. This means all IP packets that -enter the bridge will be passed over the PREROUTING chain, if they are -to be forwarded they will be tested against the FORWARD chain, and for -every device that they are to leave, they are tested against the -POSTROUTING chain. - - -Example -------- - -bash# iptables -L -v -Chain INPUT (policy ACCEPT 74 packets, 7943 bytes) - pkts bytes target prot opt in out source destination - -Chain FORWARD (policy ACCEPT 14 packets, 1176 bytes) - pkts bytes target prot opt in out source destination - 13 1092 LOG all -- any any anywhere anywhere LOG level warning prefix `FWD ' - -Chain OUTPUT (policy ACCEPT 127 packets, 12269 bytes) - pkts bytes target prot opt in out source destination -bash# iptables -L -v -t nat -Chain PREROUTING (policy ACCEPT 6 packets, 504 bytes) - pkts bytes target prot opt in out source destination - 5 420 LOG all -- any any anywhere anywhere LOG level warning prefix `PRE ' - -Chain POSTROUTING (policy ACCEPT 11 packets, 864 bytes) - pkts bytes target prot opt in out source destination - 10 780 LOG all -- any any anywhere anywhere LOG level warning prefix `PST ' - -Chain OUTPUT (policy ACCEPT 5 packets, 360 bytes) - pkts bytes target prot opt in out source destination -bash# /data/bd/bridge-utils/brctl/brctl show -bridge name bridge id STP enabled interfaces -br0 8000.fefd00000000 no tap0 - tap1 -bash# cat packet > /dev/tap0 -PRE IN=tap0 OUT= MAC=fe:fd:31:32:33:34:fe:fd:34:33:32:31:08:00 SRC=10.20.30.40 DST=10.30.40.50 LEN=84 TOS=0x00 PREC=0x00 TTL=64 -ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=56329 SEQ=2304 -FWD IN=tap0 OUT=tap1 SRC=10.20.30.40 DST=10.30.40.50 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=56329 -SEQ=2304 -PST IN= OUT=tap1 SRC=10.20.30.40 DST=10.30.40.50 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=56329 SEQ=2304 -bash# - - - - -Lennert Buytenhek |