William Bohannan
2006-Dec-14 11:55 UTC
blocking traffic on the FORWARD chain using physdev
Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 <---> BRIDGE <---> eth0 # Block (eth0 ---> eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 <--- eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP # Block (eth0 ---> BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP # Block (eth0 <--- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP # Block (eth1 ---> BRIDGE) - working iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP # Block (eth1 <--- BRIDGE) - working iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP Kind Regards William
Oscar Mechanic
2006-Dec-14 12:26 UTC
Re: blocking traffic on the FORWARD chain using physdev
Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote:> Currently using physdev on a bridge to try and isolate certain paths > across and to the bridge. It all works except when trying to stop the > flow in one direction on the FORWARD chain?? Can someone please help?? > > Below is the testing done so far. > > eth1 <---> BRIDGE <---> eth0 > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > # Block (eth0 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > # Block (eth1 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > # Block (eth1 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > Kind Regards > William > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
William Bohannan
2006-Dec-14 12:34 UTC
RE: blocking traffic on the FORWARD chain using physdev
Thanks for that. Would you be able to give a simple example on how to block outgoing traffic using ebtables and icmp? as I get an error when using icmp? ebtables -A FORWARD -i eth1 -p icmp -j DROP Error message - "Problem with the specified protocol." Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@ufomechanic.net] Sent: 14 December 2006 12:27 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev Hi Physdev may no longer be supported soon something to do with hooks and how this is difficult to support. I have stopped using it cause I found some odd behavior in physdev-in, out seemed fine I remember. I use ebtables and marks for this now. On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote:> Currently using physdev on a bridge to try and isolate certain paths > across and to the bridge. It all works except when trying to stop the > flow in one direction on the FORWARD chain?? Can someone please help?? > > Below is the testing done so far. > > eth1 <---> BRIDGE <---> eth0 > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > # Block (eth0 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > # Block (eth0 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > # Block (eth1 ---> BRIDGE) - working > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > # Block (eth1 <--- BRIDGE) - working > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > Kind Regards > William > > _______________________________________________ > LARTC mailing list >LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar tc
Oscar Mechanic
2006-Dec-14 12:41 UTC
RE: blocking traffic on the FORWARD chain using physdev
Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote:> Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@ufomechanic.net] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain using physdev > > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. I use > ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stop the > > flow in one direction on the FORWARD chain?? Can someone please help?? > > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > > LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar > tc >
William Bohannan
2006-Dec-20 16:32 UTC
RE: blocking traffic on the FORWARD chain using physdev
Still can''t seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@ufomechanic.net] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote:> Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@ufomechanic.net] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain usingphysdev> > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. Iuse> ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stopthe> > flow in one direction on the FORWARD chain?? Can someone pleasehelp??> > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one??> > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > >LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar> tc >
William Bohannan
2006-Dec-20 16:37 UTC
RE: blocking traffic on the FORWARD chain using physdev
All good, had input instead of forward on the establish / related now fixed. To test I used: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth0 -p icmp -j DROP works great! Kind Regards William -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of William Bohannan Sent: 20 December 2006 16:33 To: oscar@ufomechanic.net Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Still can''t seem to block on the FORWARD chain in one direction. I tried ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP Just as a test no other rules enabled at all (in iptables, tc or ebtables), and it blocks both directions. Please can someone help? Kind Regards William -----Original Message----- From: Oscar Mechanic [mailto:oscar@ufomechanic.net] Sent: 14 December 2006 12:41 To: William Bohannan Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev Are you sure you want to block ICMP how about PMTU ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote:> Thanks for that. Would you be able to give a simple example on how to > block outgoing traffic using ebtables and icmp? as I get an error when > using icmp? > > ebtables -A FORWARD -i eth1 -p icmp -j DROP > > Error message - "Problem with the specified protocol." > > > Kind Regards > William > > > -----Original Message----- > From: Oscar Mechanic [mailto:oscar@ufomechanic.net] > Sent: 14 December 2006 12:27 > To: William Bohannan > Cc: lartc@mailman.ds9a.nl > Subject: Re: [LARTC] blocking traffic on the FORWARD chain usingphysdev> > Hi > > Physdev may no longer be supported soon something to do with hooks > and how this is difficult to support. I have stopped using it cause I > found some odd behavior in physdev-in, out seemed fine I remember. Iuse> ebtables and marks for this now. > > > On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote: > > Currently using physdev on a bridge to try and isolate certain paths > > across and to the bridge. It all works except when trying to stopthe> > flow in one direction on the FORWARD chain?? Can someone pleasehelp??> > > > Below is the testing done so far. > > > > eth1 <---> BRIDGE <---> eth0 > > > > # Block (eth0 ---> eth1) - blocks both directions and not just one??> > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 <--- eth1) - blocks both directions and not just one?? > > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP > > > > # Block (eth0 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP > > > > # Block (eth0 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP > > > > # Block (eth1 ---> BRIDGE) - working > > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP > > > > # Block (eth1 <--- BRIDGE) - working > > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP > > > > > > Kind Regards > > William > > > > _______________________________________________ > > LARTC mailing list > > >LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar> tc >_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc