similar to: blocking traffic on the FORWARD chain using physdev

Trying to use the policy drop rule with the bridged firewall, when I removed the first line the transparent proxy works great? It seems a bit strange as from reading several articles on it I thought the following occurs. 1st line - if it doest match it gets dropped on the local filter input. 2nd line - redirects the traffic off the link layer into the network layer ready for line 3. 3rd line -

Hi I have been using Shorewall for a while now and find it very useful and easy to configure, I am learning iptables and having trouble getting the bridge to successfully work with squid, although I get it working with Shorewall straight away? Does anyone know the rules to successfully use squid with a transparent bridge? Internet – router - (bridge eth0 – eth1) – local lan auto lo iface lo

I''ve set up Traffic Shaping on a Linux Router. Using HTB with SFQ, i''m trying to slow down heavy downloading for 20 subscribers over a 2048 kbit downlink. I''m classifying internet related traffic using iptables marking. bri0 is my local lan bridge, receiving egress traffic destined for subscribers. tc qdisc add dev bri0 root handle 1: htb default 2 tc class add dev

Hi wondering if anyone can help. I have two NICs on a debian sarge based system and current running as a bridge (br0) which consists of eth0 and eth1. Is it possible to add a virtual interface to the eth1 so I can also do NAT on the box as well? I have tried many times and keep coming up with errors. Kind Regards William Bohannan

Here are some notes I have about Linux bridging. I''ll try to separate what I know I know from what I think I know. Let''s say I want to bridge eth0, eth1, and eth2 together, all with an IP Address of, say, 1.2.3.2. This is how to do it: echo "Setting up br0 to bridge eth0 with eth1 and eth2" /usr/sbin/brctl addbr br0 /usr/sbin/brctl addif br0 eth0

Hi, I'm trying to configure nwfilter for KVM, but so far I haven't managed to figure out a working configuration. Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is connected via eth0, part of the external subnet 192.168.17.0/24, and has an additional subnet 192.168.128.160/28 routed to its main address 192.168.17.125. The host's subnet is configured as bridge

Hi, I''m running RH9 Linux and I''m having a slight problem with shorewall, i originally set it up as a two card configuration, but i have now bridged the connections in an attempt to get my WiFi network communicating with the wired network (eth0 and wlan0). I have followed the instructions for bridging from http://www.shorewall.net/bridge.html but when I activate shorewall i get

Hello I have some rules inserted in the NAT table dual SNAT and DNAT for a connection They use at some moment the same port of the outside network. The problem i have is that the connection tracking in the kernel checks first the oldest rule and then the newest one. I use a system based on ARM XScale processor. Is that the default behaviour and how can i change this behaviour? Marius

I have a linux AP with prism2 (hostap) wireless nic. I whant to filter traffic that pass betwen clients of the AP, this is layer 2 traffic (802.11) and netfilter does not sees it, at first i think in physdev target, but is for layer2 bridged interfaces, and this is not the case. There is a way to filter layer2 traffic independet if it is from a bridged iface or not? -- Luciano

Hello, I have a transparent bridge/firewall setup using linux-2.6.3. My iptables commands for the firewall seem to work fine, but my tc traffic shaper rules dont. The tc rules seem to apply ok, but have no effect. Here are my tc rules. Basically im just trying to limit each IP in my internal /24 to 512k of bandwidth in and out. DEV=eth0 tc qdisc del dev $DEV root tc qdisc add dev $DEV

I''m playing with the rather excellent QOS script from Alexander Clouter at http://digriz.org.uk/jdg-qos-script/ So far I am really impressed with it - a very impressive example of the power of linux QOS rules (has pretty much everything in it from the LARTC Howto!) However, the instructions hint that "for QoS to affect locally generated traffic in a non ethernet bridge setup

When using v2 we would modify the saved /var/lib/shorewall/restore file to modify logging so we had separate counts by the physical device the packets (actually, NEW connections, not total packet counts), such as: -A LogStuff -j LOG etc -A LogStuff -m physdev --physdev-in eth1 -j DROP -A LogStuff -m physdev --physdev-in eth2 -j DROP which gave us an idea where dropped traffic cam from

Hi, I have a suspicious problem with multiple uplinks configuration. First of all my configuration: 1) kernel 2.6.20.3 2) iptables 1.3.7 3) last iproute (for masked marks) All wan interfaces are bridged (stp disabled) in only one interface (wan0), all lan interfaces are bridged (stp enabled) in only one interface (zlan0). The wan0 bridge is to allow UPnP works. To allow related

Not normally a question for this group, but you guys are very bridge/router/firewall savvy, so I thought I''d toss it here. I have a bridge. On one side of the bridge is that fancy thing called the Internet. On the other side is my LAN. The bridge is the obvious demarcation line and a good place to put a firewall. Now, I have all my iptables stuff planned out, EXCEPT for nat. The

Hi All! I need to deploy a bridge firewall using linux kernel 2.6. I had success using kernel 2.4 plus br-nf patch. But the configuration does not work with kernel 2.6. If the default policy for the iptables FORWARD chain is ACCEPT I have a bridge. If iptables FORWARD chain is DROP I have an insulator (no packet flows). Any hint? I did some google search and in many places they say "kernel

I have a computer with two interfaces, say with addresses 192.168.1.1 and 192.168.1.2. I want to set up routing such that when I ping 192.168.1.1 it goes out through 192.168.1.2 and not to the local interface. Is this possible - all my attempts so far have been unsuccessful? If so, pointers, etc. would be gratefully appreciated. Jim -- Jim Redman (505) 662 5156 x85

I have a block of IP addresses (2048) used for ADSL connections to customers. In order to provide a fair slice of available bandwidth on the contended services I would like to be able to set up some kind of SFQ filter, but using a hash of the destination IP address rather than the the full source and destination ip and port. This would be done at the Internet side gateway for traffic being

Hello I''ve setuped a QOS bridge under debian 3.1 using 2.6.18.3 kernel + iptables 1.3.6 I''ve patched the kernel an Iptables with esfq+layer7 without problems. This simple script doesn''t log nothing ... And I''m sure to have eMule traffic (I''ve checked with tcpdump ) If I remove " -m layer7 --l7proto edonkey \" line I can see

Hello folks.. Does any of you know if it is possible to rewrite the ip src in a packet. I have a problem involving a DMZ with external IP addresses routed trough a single WAN IP. When the server initiates a connection, it looks like it comes from the WAN ip instead of it''s designated External IP routed through the WAN. So in short, Is it possible to rewrite the packet in the router,