Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 19th May 2009, 18:39
debianfirewall debianfirewall is offline
Junior Member
Join Date: May 2009
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ebtables ruleset isn't working, any ideas?

I'm trying to make a bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working Sad

This is what I have so far. When I set the default policy to allow everything gets through, when deny nothing gets through:

Here is the net setup: squid/sshserver --> eth1 [firewall] eth0 ---> Internet

What is supposed to be allowed:
ssh server (port 22 TCP) <--eth1 [firewall] eth0 <--- Internet
ssh/squidserver --> eth1 [firewall] eth0 --> Internet (ports 80 and 443 TCP)

What is supposed to be disallowed
(spoofed ip w/o proper squidserver mac address going out)
(anything else coming in)
(probably anything else going out aswell (maybe allow dns, dhcp)

This blocks EVERYTHING. It COMPLETELY IGNORES THE RULESET (The only thing it doesn't ignore is the policy)

ebtables -F FORWARD
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP

ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source -j ACCEPT

ebtables -A FORWARD -p ip --ip-src -s ! 00:08:0D:54:13:C9 -j DROP
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination --ip-proto tcp --ip-source-port 80 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source --ip-proto tcp --ip-destination-port 80 -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination --ip-proto tcp --ip-source-port 443 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source --ip-proto tcp --ip-destination-port 443 -j ACCEPT

Why doesn't this work? Isn't it supposed to consider the exception rules?
(I'm testing by trying to SSH to the box, and trying to go to the IP of a webserver across the bridge from the box)
Reply With Quote
Sponsored Links


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban not working linuxwannabe Installation/Configuration 1 25th January 2009 07:09
su not working KenKnight HOWTO-Related Questions 9 17th September 2008 15:36
DNS stop working MZH General 3 22nd February 2008 12:10
ftp not working pesja Installation/Configuration 3 17th July 2006 13:37

All times are GMT +2. The time now is 19:55.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.