iptables bridging firewall
I am running Debian Sarge with kernel 2.6.9 and have set up a bridge between eth2 (inet) & eth1 (lan) using the bridge-tools package.
I am trying to use iptables to limit the number of outbound ICMP connections initiated from within the bridged network while allowing all inbound traffic to continue to pass through.
I modified slightly the honeynet projects rc.firewall and have got:
iptables -A FORWARD -p icmp -m physdev --physdev-out eth2 -m state --state NEW -m limit --limit 10/hour --limit-burst 10 -s 192.168.1.10 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.10 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out eth2 -j DROP
Using the above rules I can ping the router from inside the bridge ten times before it begins to timeout, which is perfect. The problem comes when I try and ping from outside of the bridge in, all pings come back Request Timed Out.
How do I allow all incoming connections while blocking outgoing ones?
Help would be greatly appreciated.