Subject almost says it all, I wonder if there is a way for me to use iptables matches like l7 and/or ipp2p match in a bridge ( one ethernet in and one ethernet out ) ? Regards.
Ming-Ching Tiew wrote:> Subject almost says it all, I wonder if there is a way for me > to use iptables matches like l7 and/or ipp2p match in a > bridge ( one ethernet in and one ethernet out ) ?Yes there is. Read my previous post (http://mailman.ds9a.nl/pipermail/lartc/2006q4/019935.html) for more information. In short, what you want to do is enable IPTables (layer 3 and up) to be able to operate on bridged (layer 2) traffic. "Bridged IP/ARP packets filtering" will allow you to do exactly what you are wanting to do. Grant. . . .
From: "Grant Taylor" <gtaylor@riverviewtech.net>> > Yes there is. Read my previous post > (http://mailman.ds9a.nl/pipermail/lartc/2006q4/019935.html) for more > information. In short, what you want to do is enable IPTables (layer 3 > and up) to be able to operate on bridged (layer 2) traffic. "Bridged > IP/ARP packets filtering" will allow you to do exactly what you are > wanting to do. >Thank you for a reply which comes in so useful. I would like to get into a bit more details. Assuming I have already enable the kernel options, do you mean if I want to mark ipp2p traffic, I will do something like this :- iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 6 If I set more options such as "-i eth0 -o eth1" will I be able to capture the traffic more particularly ? Regards
On 12/28/06 20:04, Ming-Ching Tiew wrote:> Thank you for a reply which comes in so useful. I would like to get into > a bit more details. Assuming I have already enable the kernel options, > do you mean if I want to mark ipp2p traffic, I will do something like this :-You are welcome.> iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark 6Yes, with "Bridged IP/ARP packets filtering" you can do that.> If I set more options such as "-i eth0 -o eth1" will I be able to capture > the traffic more particularly ?In short yes. "Bridged IP/ARP packets filtering" allows IPTables to see bridged traffic. This means that any filtering you can do with IPTables can now be done on bridged traffic. Grant. . . .