Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th May 2009, 17:39
debianfirewall debianfirewall is offline
Junior Member
 
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Ebtables ruleset isn't working, any ideas?

I'm trying to make a bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working Sad

This is what I have so far. When I set the default policy to allow everything gets through, when deny nothing gets through:

Here is the net setup: squid/sshserver --> eth1 [firewall] eth0 ---> Internet

What is supposed to be allowed:
ssh server (port 22 TCP) <--eth1 [firewall] eth0 <--- Internet
ssh/squidserver --> eth1 [firewall] eth0 --> Internet (ports 80 and 443 TCP)

What is supposed to be disallowed
(spoofed ip w/o proper squidserver mac address going out)
(anything else coming in)
(probably anything else going out aswell (maybe allow dns, dhcp)



This blocks EVERYTHING. It COMPLETELY IGNORES THE RULESET (The only thing it doesn't ignore is the policy)

Code:
ebtables -F FORWARD
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP

ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.21 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.21 -j ACCEPT

ebtables -A FORWARD -p ip --ip-src 192.168.0.21 -s ! 00:08:0D:54:13:C9 -j DROP
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.21 --ip-proto tcp --ip-source-port 80 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.21 --ip-proto tcp --ip-destination-port 80 -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.21 --ip-proto tcp --ip-source-port 443 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.21 --ip-proto tcp --ip-destination-port 443 -j ACCEPT


Why doesn't this work? Isn't it supposed to consider the exception rules?
(I'm testing by trying to SSH to the box, and trying to go to the IP of a webserver across the bridge from the box)
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 06:09
su not working KenKnight HOWTO-Related Questions 9 17th September 2008 14:36
DNS stop working MZH General 3 22nd February 2008 11:10
ftp not working pesja Installation/Configuration 3 17th July 2006 12:37


All times are GMT +2. The time now is 12:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.