All good, had input instead of forward on the establish / related now
fixed. To test I used:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth0 -p icmp -j DROP
works great!
Kind Regards
William
-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of William Bohannan
Sent: 20 December 2006 16:33
To: oscar@ufomechanic.net
Cc: lartc@mailman.ds9a.nl
Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev
Still can't seem to block on the FORWARD chain in one direction. I
tried
ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp -j DROP
Just as a test no other rules enabled at all (in iptables, tc or
ebtables), and it blocks both directions. Please can someone help?
Kind Regards
William
-----Original Message-----
From: Oscar Mechanic [mailto:oscar@ufomechanic.net]
Sent: 14 December 2006 12:41
To: William Bohannan
Cc: lartc@mailman.ds9a.nl
Subject: RE: [LARTC] blocking traffic on the FORWARD chain using physdev
Are you sure you want to block ICMP how about PMTU
ebtables -I FORWARD 1 -i eth0 -p ip --ip-protocol icmp
On Thu, 2006-12-14 at 21:34 +0900, William Bohannan wrote:
> Thanks for that. Would you be able to give a simple example on how to
> block outgoing traffic using ebtables and icmp? as I get an error when
> using icmp?
>
> ebtables -A FORWARD -i eth1 -p icmp -j DROP
>
> Error message - "Problem with the specified protocol."
>
>
> Kind Regards
> William
>
>
> -----Original Message-----
> From: Oscar Mechanic [mailto:oscar@ufomechanic.net]
> Sent: 14 December 2006 12:27
> To: William Bohannan
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] blocking traffic on the FORWARD chain using
physdev
>
> Hi
>
> Physdev may no longer be supported soon something to do with hooks
> and how this is difficult to support. I have stopped using it cause I
> found some odd behavior in physdev-in, out seemed fine I remember. I
use
> ebtables and marks for this now.
>
>
> On Thu, 2006-12-14 at 20:55 +0900, William Bohannan wrote:
> > Currently using physdev on a bridge to try and isolate certain paths
> > across and to the bridge. It all works except when trying to stop
the
> > flow in one direction on the FORWARD chain?? Can someone please
help??
> >
> > Below is the testing done so far.
> >
> > eth1 <---> BRIDGE <---> eth0
> >
> > # Block (eth0 ---> eth1) - blocks both directions and not just one??
> > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP
> >
> > # Block (eth0 <--- eth1) - blocks both directions and not just one??
> > iptables -A FORWARD -m physdev --physdev-out eth1 -p icmp -j DROP
> >
> > # Block (eth0 ---> BRIDGE) - working
> > iptables -A INPUT -m physdev --physdev-in eth0 -p icmp -j DROP
> >
> > # Block (eth0 <--- BRIDGE) - working
> > iptables -A OUTPUT -m physdev --physdev-out eth0 -p icmp -j DROP
> >
> > # Block (eth1 ---> BRIDGE) - working
> > iptables -A INPUT -m physdev --physdev-in eth1 -p icmp -j DROP
> >
> > # Block (eth1 <--- BRIDGE) - working
> > iptables -A OUTPUT -m physdev --physdev-out eth1 -p icmp -j DROP
> >
> >
> > Kind Regards
> > William
> >
> > _______________________________________________
> > LARTC mailing list
> >
>
LARTC@mailman.ds9a.nlhttp://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lar
> tc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|