[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: RE: ebtables on a stick
- From: "Greg Scott" <GregScott@xxxxxxxxxxxxxxxx>
- Date: Sat, 26 Nov 2011 02:27:12 -0600
- Thread-index: AcysFLg524OZKldcQGC2PN1UNsfxHgAAC9Vg
- Thread-topic: ebtables on a stick
I have a situation that needs to route mostly and bridge only a little bit.
I have a private internal LAN, 192.168.10.nnn. But one host in the internal side needs a real public IP Address, call it 1.2.115.157.
I have a Linux firewall set up with ebtables. Interface eth0 faces the Internet and has an IP Address of 1.2.115.146. Interface eth1 is on the LAN side with IP Address 192.168.10.1. Bridge br0 currently has no IP Address and bridges eth0 and eth1. Everyone on the LAN side except my public IP Address host uses the private side of the firewall at 192.160.10.1 for default gateway. The public IP Address host uses the public side of the firewall at 1.2.115.146 for default gateway.
The challenge - I need my public IP Address host to communicate with everyone around the Internet, including the private LAN – and I’ll filter that appropriately with iptables. Everything else should route traditionally.
This mostly works, except I am having trouble communicating with hosts in the private LAN. I can communicate anywhere else on the Internet as long as I don’t try to use my own DNS servers in the private LAN to translate names. After studying ebtables examples and tons of trial and error, I still don’t get it. Here are the ebtables rules:
[root@ehac-fw2011 firewall-scripts]# ebtables -t broute -Lc
Bridge table: broute
Bridge chain: BROUTING, entries: 9, policy: ACCEPT
-p IPv4 --ip-src 1.2.115.157 -j ACCEPT
-p IPv4 --ip-dst 1.2.115.157 -j ACCEPT
-p ARP --arp-ip-src 1.2.115.157 -j ACCEPT
-p ARP --arp-ip-dst 1.2.115.157 -j ACCEPT
-j redirect --redirect-target DROP
[root@ehac-fw2011 firewall-scripts]#
When my public IP host pings the Internal LAN, the internal LAN host replies. Watching tcpdump from the firewall, I can see the echo request come in and go out on both br0 and eth1 and I see the echo reply come back on eth1. But then the reply dies and I never send it back out eth1 over the wire. And when a private host pings the public host, the echo request dies at the firewall. So somehow, I am having trouble getting private→public traffic out of br0 and onto eth1.
What am I missing?
Thanks
- Greg Scott
��.n��������+%�������w��{.n����z����ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f
[Linux Kernel Discussion]
[Ethernet Bridging]
[Linux Wireless Networking]
[Linux Bluetooth Networking]
[Linux Networking Users]
[VLAN]
[Git]
[IETF Annouce]
[Linux Assembly]
[Security]
[Bugtraq]
[Photo]
[Singles Social Networking]
[Yosemite Information]
[MIPS Linux]
[ARM Linux Kernel]
[ARM Linux]
[Linux Virtualization]
[Linux Security]
[Linux IDE]
[Linux RAID]
[Linux SCSI]
[Free Dating]
