1Bridging and firewalling 2------------------------ 3It is possible to use bridging in combination with firewalling. This is 4a blatant violation of the OSI model, but it's very useful, so we don't 5care. 6 7How do bridging and firewalling go together? First of all, you need a 8kernel patch against the 2.4 kernel to actually make firewalling bridged 9packets possible. You need to apply this patch to your kernel and recompile 10it, or alternatively, download a pre-patched Red Hat 7.2 kernel RPM and use 11that. The patch and kernel RPM are located at: 12 13 http://bridge.sourceforge.net/devel/bridge-nf/ 14 15Now if you boot with this kernel, you can use the regular iptables 16firewalling as if you were doing routing. So, rules for forwarding are 17added to the FORWARD chain, rules for input to the local machine are 18added to the INPUT chain, etc. Things will work like you expect them to. 19So a rule like 20 21 # iptables -A INPUT -i eth0 -j DROP 22 23will drop all traffic coming from 'eth0', even if the interface the packets 24are logically from is, say, 'br0'. 25 26 27 28Lennert Buytenhek, November 7th 2001 29<buytenh@gnu.org> 30 31 32 33-------------------------- 34Bridge+firewalling with 2.2 kernels is also possible, but deprecated. I 35would severely recommend against using a 2.2 kernel and ipchains for bridge 36firewalling. But if there's really a need, it's still possible. Apply the 37extra firewalling patch available from the 'patches' section to your 38already-patched-with-the-vanilla-bridge-patch 2.2 kernel, and recompile. Now 39if you boot this kernel, the bridging code will check each to-be-forwarded 40packet against the ipchains chain which has the same name as the bridge. So.. 41if a packet on eth0 is to be forwarded to eth1, and those interfaces are 42both part of the bridge group br0, the bridging code will check the packet 43against the chain called 'br0'. If the chain does not exist, the packet will 44be forwarded. So if you want to do firewalling, you'll have to create the 45chain yourself. This is important! 46