Results 1 to 3 of 3
Hey guys, just looking to clear up a quick question here. I've been playing around with setting up a bridging firewall on a spare box. Currently have it sitting between ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-31-2007 #1
- Join Date
- May 2007
iptables config on a bridging firewall
Hey guys, just looking to clear up a quick question here.
I've been playing around with setting up a bridging firewall on a spare box. Currently have it sitting between the cable modem and my router. Everything is working nicely, except for one nagging question.
If I understand things correctly, because the system is bridged, none of the traffic would pass through the Input/Output chains, right? All data would be passing through Forward instead, as none of the traffic is intended for the firewall box itself.
Originally, I set the rules up based on examples I saw that didn't involve bridging, so most of the rules were applied to the Input/Output chains. In the case of a bridge, I could rewrite the rules script to replace all Input/Output with Forward (all the rules specifiy the in and out devices, so direction should be taken care of), drop any duplicate rules that may occur, set Input/Output to a flat deny, and I should be good to go, right?
- 05-31-2007 #2
This is a roundabout answer (since I don't know the real answer).
If you'd like to determine this for yourself you could turn on some iptables logging temporarily to watch which chains the traffic passes through.
Check the iptables(8 ) manpages and take a look at the LOG section.
An example rule might look like:
# iptables -I INPUT 1 -j LOG --log-level info
(Notice how I inserted it as the first rule -- that will keep things simpler!)
You can do the same for any other chains you want to monitor.
Now make a slight tweak to /etc/syslog.conf. Add a line that looks like this:
# touch /var/log/fw && /etc/init.d/syslog reload
You should be in business. You can now tail the /var/log/fw file and monitor for when traffic goes through a chain.
- 05-31-2007 #3
- Join Date
- May 2007
Thanks for the suggestion anomie.
Tried that, and turns that everything was being pushed through the Forward chain. Went ahead and changed all the Input/Output rules to Forward, set a default Drop policy for Input/Output, and nothing seems to have broken. I'll have to play around from outside (helps to have 2 net conns) to make sure I didn't accidentally allow something I didn't want in the process =)