
                           HӺ+netfilter Howto

[1]Nils Radtke v0.2, September 2002
Ķ: [2]_ yintianbao@yahoo.com.cn

   ½Ķ: 2002~1111 reversion 0.2
     _________________________________________________________________

   tm@ӥHӺڭ̦|b@Ӳ{zai@ӽձ]ơC
   oذtmLܲ{޿赲cCOqLb{zMѳ]ơ]
   sinternet@صw^[JHӺӹ{C

   oHowto]䥦[3]䥦榡iΡCˤUG[4]documentation tarball.
   CA]iHb [5]Linux Documentation Project쥦CQ䥦y
   ܡHݬݳo[6]wy

   v
   2002-09-19Gb"DD"A_ebtables챵wgsCK[F
   _[7]false positive" br-nf debugging outputƪ`C
   2002-10-08GK[F"tm"Ab "Setting up the routing, Ping it,
   Jim!" ѤFѪ@ǽuC

1.[8]

   2.[9]ݪn

     * 2.1 [10]linux֪S
     * 2.2 [11]ΤŶuGbrctl

   3.[12]tmlinuxHѥnA

     * 3.1 [13]tm
     * 3.2 [14]tm

   4.[15]էAs

     * 4.1 [16]ճ
     * 4.2 [17]ping it ,Jim!
     * 4.3 [18]ڪtm
     * 4.4 [19]O

   5.[20]䥦챵

     * 5.1 [21]HӺ
     * 5.2 [22]DD
     _________________________________________________________________

   HӺzaNөΦhӤPHӺqsb@_C HӺNq@
   ݤfiӪHӺVoM۳s䥦ݤfAo@u@Hۦ
   GunDݤfMACa}AHӺN|qLoӺݤfNһݶǰee
   owHӺqA䥦q|vTC

   HӺfiHQ[@Ӳ{fæf@Ӻݤf]޿W^
   C netfilterbfWHϺLoOCoˡANiH{@
   ӳzLo]ơCƦܵLIPa}NiHu@CMAX_K@ت
   AA]iHft@IPa}]FwAuSSH^C

   o˰nBO㪺A֤FchWCΤ]|NѨsb
   AL̪~siHQ_CӥBAΤu@ɤ]iQFZ]QQݷ
   _}ɡAqlhj^C

   t@شMpOȤqL@ӯΪѾsinternetCѤ_AȴѰ
   ܤַ|NL̪X]ƪ޲zvѵȤAҥHȤLkܨstm
   CMȤ|@ӥbB۪AåBQnOִ̤NiHΡAL]Q
   stmӺҡCpGκܡANiHFC
     _________________________________________________________________

   2.nn

   ӧڭ̴ճnDAbHӺpWoǳnOnC

   2.1 linux֯S

   pGAϥΪ֪O2.4.18ܡAHӺ\wgmihFCL
   [ɤBFC

   OpAϥnetfilter\઺ܡA]ڭ̷QboxslinuxѾ/
   ] ^W]iptablesAڭ̤Mݭn[@ӸɤBAݭnɤB
   iHboӺMUsourceforge Ethernet Bridge homepage

root@bridge:~> cd /usr/src/
root@bridge:~> wget -c http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-
0.0.7-against-2.4.18.diff
root@bridge:~> cd /usr/src/linux/
root@bridge:~> patch -p1 -i ../bridge-nf/bridge-nf-0.0.7-against-2.4.18.diff

   pڭ̧ƱnetfilterAӥBڭ̤wgvanillal֥WFɤB
   Aڭ̴NnE@ǥnְtmCpcؤ@ӦۤvֽЬthe
   CD-Net-Install-HOWTO, ToolboxAAiO٬Ouw媩AAH
   ɶڦA⥦½Ķ@UC

   oܤֻAڭ٬O}laG bCode maturity level options ڭ̿襤
        [*] Prompt for development and/or incomplete code/drivers

   bLoadable module supportAڭ̿襤
        [*] Enable loadable module support
        [*]   Set version information on all module symbols
        [*]   Kernel module loader

   nFA{biiA{bڭ̶i Networking options  襤
        [*] Network packet filtering (replaces ipchains)
        [*]   Network packet filtering debugging

   ~AbIP: Netfilter Configuration ڭ̧ҦݭnаOҶA{
   bݤw[DXF: 襤
         802.1d Ethernet Bridging

   ]襤
        [*]   netfilter (firewalling) support

   `NG Wubڭ̦\֥WɤB~|C ̫Aڭ̴NiH
   Rݦ\FC
root@bridge:~> make dep clean bzImage modules modules_install

   ֽsĶAOѤFs/etc/lilo.conf AMᰵ
root@bridge:~> lilo -t
root@bridge:~> lilo
root@bridge:~> reboot

   ܡG ڭ̤]iHNsּаObridge֡Aڭ̥visbַؿ
   MakefileAڭ̧EXTRAVERSION =o@AiHb᭱[WbridgeAb
   ֽsĶA֪WrNO2.4.18bridgeC bmodules_installw˫Aڭ
   N|b/lib/modules/2.4.18bridgeؿsҶC
     _________________________________________________________________

   2.2 ΤŶuGbrctl

   ڭ̪֦HӺMnetfilteroإ\઺OAڭ̴Nݭn
   ƥΤŶubrctlCbrctlOΨӰtmuC ڭ̨oU
   download the source tarballAѥ]öiJѥ]᪺ؿ
root@bridge:~> wget -c http://bridge.sourceforge.net/bridge-utils/bridge-utils-
0.9.5.tar.gz
root@bridge:~> tar xvzf bridge-utils-0.9.5.tar.gz
root@bridge:~> cd bridge-utils-0.9.5

   oɡAо\ŪREADMEMdoc/lؿUAM²amakeMcopy
   brctl/brctl iɨ/sbin/UC
root@bridge:~> make
root@bridge:~> cp -vi brctl/brctl /sbin/

   o˴NnFA{bӥhtmFC
     _________________________________________________________________

   3 ]mlinuxB

   3.1 tm

   ڭ̻ݭnlinuxDAiDAڭ̷Qn@ӵHӺfG
   ]oNbDbridgeWAMݬݴճ^
root@bridge:~> brctl addbr br0

   䦸Aڭ̤ݭnSTP(ͦĳ)C]ڭ̥u@ӸѾAO藍i
   Φ@Cڭ̥iHoӥ\C]oˤ]iHֺҪƾڥ]
   ìV^G
root@bridge:~> brctl stp br0 off

   gLoǷǳƤu@Aڭ̲פ_iH@ǥ߬񨣼vƤFCڭ̲K[ӡ]
   h^HӺzfANOGڭ̱NL̪[ͦ޿]^
   fbr0WC
root@bridge:~> brctl addif br0 eth0
root@bridge:~> brctl addif br0 eth1

   {bAӧڭ̪ӥHӺzfܦFW޿ݤfCӪ
   zfLhsbAӤ]|CnHܡAhݬݦnFC .{bL̦F
   ޿]ƪ@FAҥHAݭnIPa}CUڭ̱NoIPa}
root@bridge:~> ifconfig eth0 down
root@bridge:~> ifconfig eth1 down
root@bridge:~> ifconfig eth0 0.0.0.0 up
root@bridge:~> ifconfig eth1 0.0.0.0 up

   nFIڭ̲{bF@ӥIPa}Sbox w/oFC nFAoUpGAQ
   qLTPtmAθѾܡAANuqLaݤfFCA|
   iDڧAWsݤfSaH

   iG ڭ̵oӷsft@IPa}
 root@bridge:~> ifconfig br0 10.0.3.129 up

   oUڭ̰F ݭn

   3.2 tm

   U@ڭ̭ntm@ӺAڭ̭nblinux֤}o
  root@bridge:~> echo "1" > /proc/sys/net/ipv4/ip_forward

   ڭ̪Boxwg@IPa}FA٨Sq{ѡAڭ̲{bӸѨMoӰD
   G
root@bridge:~> route add default gw 10.0.3.129

   oˡAڭ̴NӦ@ӥiH`u@FC
     _________________________________________________________________

   4.էAa

   4.1ճ

   ڭ̰]pUG
                                                          /\
          Ethernet           Ethernet           ATM    /-/  \
---------          ---------          ---------     /-/      |
|  Box  |----------|Bridge |----------|Router |-----| Inter-  \
---------          ---------          ---------     \  net  ---|
         ^        ^         ^        ^               \     /
         |        |         |        |                \---/
        eth0     eth0      eth1     if0                 ^
         |        |         |        |                  |
      10.0.3.2   none/10.0.3.1      195.137.15.7    anything else
                  \         /
                   \       /
   ^                \-br0-/
   |                                      ^             ^
   |                   ^                  |             |
   |                   |                  |             |
  own                 own              foreign        hostile

   ڭ̪޲zvu]AаOOWNAѾkڭ̺ޡAM]O
   binternetWC NۡApGڭ̷QbHӺWǿ骺ƾڡAڭ̥i
   H⨾𪺥\ධWCӼзǰkIOAAbAW
   CxWnhq{CouO@HLkԨIASHQ
   b5xHWvӥhקq{ѡCnѤFAɶNOAQۮO
   j⪺rڴNߵhC t@ӤkOMBٮɡAwCwb_
   ̮ڥLtIPa}ASIPASMICܤ_o@zסAڭ̧Ʊۤv
   stacksOw]Mo˪@椣@wȱoH^C̤juIOt
   mOzBڥLIPBMACCAܳ̾AXAkC

   4.2 ping it ,jim!

   ڭ̱Nӱ`tmBOXeth0,ftmyzbSETUP pGڭ̷Qn}]
   oAiHo˰
root@bridge:~> echo "1" > /proc/sys/net/ipv4/ip_forward

   i諸Aڭ̰tm@q{
root@bridge:~> route add default gw 10.0.3.129

   MAڭ̦bDbridgeWtm@iptablesWhC
root@bridge:~> iptables -P FORWARD DROP
root@bridge:~> iptables -F FORWARD
root@bridge:~> iptables -I FORWARD -j ACCEPT
root@bridge:~> iptables -I FORWARD -j LOG
root@bridge:~> iptables -I FORWARD -j DROP
root@bridge:~> iptables -A FORWARD -j DROP
root@bridge:~> iptables -x -v --line-numbers -L FORWARD

   ̫@Aڭ̥iHݨHUXG
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num      pkts      bytes target   prot opt in     out     source   destination
1           0        0 DROP       all  --  any    any     anywhere anywhere
2           0        0 LOG        all  --  any    any     anywhere anywhere
  LOG level warning
3           0        0 ACCEPT     all  --  any    any     anywhere anywhere
4           0        0 DROP       all  --  any    any     anywhere anywhere

   LOG targetqLsyslogdOC@ӥ]An`NAouOHլتɡA~o
   ˰AbBҸ̭n⥦RCnMAA|o{ۤvlogsQgBw
   LܦhŶQڡCQOHΦۤvۤviڵAȧC Awg
   DiȫGFA{bӴճoǳWhAbDboxWping ѾfIP
   ]195.137.15.7^C
root@box:~> ping -c 3 195.137.15.7
PING router.provider.net (195.137.15.7) from 10.0.3.2 : 56(84) bytes of data.
--- router.provider.net ping statistics ---
3 packets transmitted, 0 received, 100% loss, time 2020ms
^C
root@box:~>

   q{aAڭ̱NҦ]CS^A]O]A]netfilterQtm
   Ҧ]ADڭ̧RbLOG targeteҦ]Wh]Wh
   1^
root@bridge:~> iptables -D FORWARD 1
root@bridge:~> iptables -x -v --line-numbers -L FORWARD

   {bWhOG
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num      pkts      bytes target   prot opt in     out     source   destination
2           0        0 LOG        all  --  any    any     anywhere anywhere
  LOG level warning
3           0        0 ACCEPT     all  --  any    any     anywhere anywhere
4           0        0 DROP       all  --  any    any     anywhere anywhere

   o˥]iHqLCbDBOXWping@UոաG
root@box:~> ping -c 3 195.137.15.7
PING router.provider.net (195.137.15.7) from 10.0.3.2 : 56(84) bytes of data.
64 bytes from router.provider.net (195.137.15.7): icmp_seq=1 ttl=255 time=0.103
 ms
64 bytes from router.provider.net (195.137.15.7): icmp_seq=2 ttl=255 time=0.082
 ms
64 bytes from router.provider.net (195.137.15.7): icmp_seq=3 ttl=255 time=0.083
 ms

--- router.provider.net ping statistics ---
oeF3ӥ]AF3ӥ]ASᥢAtime 2002msC

]3 packets transmitted, 3 received, 0% loss, time 2002ms^
rtt min/avg/max/mdev = 0.082/0.089/0.103/0.012 ms
root@box:~>

   nFAoUAѾQEFAsqFAiHBFC]jF@Ѫɶ
   F^

   nܡG

   ڭ̱ҰʾfɡAjݭn30~iu@AoO`Aboqɶ
   ݤf|ǲߨӺݤfMACa}C@̡AlennertbLTODO峹
   iDڭ̡Go30ǲ߮ɶNӦiQYuC

   OAbծɡAS]QoA]Sping^
     _________________________________________________________________

   4.3 ڰtm

   oOQA---˷RŪ̡A@ǴܡAYӳoHOWTO\AA
   tάݤWhӬOˤlC

   ftm

   AIFCONFIGROXݤWhOo˪G
root@bridge:~> ifconfig
br0       Link encap:Ethernet  HWaddr 00:04:75:81:D2:1D
          inet addr:10.0.3.129  Bcast:195.30.198.255  Mask:255.255.255.128
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:826 errors:0 dropped:0 overruns:0 frame:0
          TX packets:737 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:161180 (157.4 Kb)  TX bytes:66708 (65.1 Kb)

eth0      Link encap:Ethernet  HWaddr 00:04:75:81:ED:B7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5729 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3115 errors:0 dropped:0 overruns:0 carrier:656
          collisions:0 txqueuelen:100
          RX bytes:1922290 (1.8 Mb)  TX bytes:298837 (291.8 Kb)
          Interrupt:11 Base address:0xe400

eth1      Link encap:Ethernet  HWaddr 00:04:75:81:D2:1D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:1 frame:0
          TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:342 (342.0 b)  TX bytes:48379 (47.2 Kb)
          Interrupt:7 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1034 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1034 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:82068 (80.1 Kb)  TX bytes:82068 (80.1 Kb)

   Ѱtm

   ArouteROXݤWhOo˪G
root@bridge:~> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.3.129      0.0.0.0         255.255.255.128 U     0      0        0 br0
0.0.0.0         10.0.3.129      0.0.0.0         UG    0      0        0 br0
root@bridge:~>

   Iptables tm Ьping it ,jim!

   4.4 `NƶG

   aAbbr-nfNX̤@wbug:
From: Bart De Schuymer
Date: Sun, 1 Sep 2002 21:52:46 +0200
To: Nils Radtke
Subject: Re: Ethernet-Brigde-netfilter-HOWTO
NilsAAnG

   [...]

   P˻ݭn`NOA]Loոե[ibr-nfɤBAq`pUOӦnD
   NC|blogsK[jq~ĵiC

   [...]

   _ڭӤHӨAbڪlogqL~C]Personally, I never had
   false positives in my log.^γ\AoBUGwgQץFCBartbl󤤳o
   ˼gG

From: Bart De Schuymer
Date: Mon, 2 Sep 2002 18:30:25 +0200
To: Nils Radtke
Subject: Re: Ethernet-Brigde-netfilter-HOWTO

   b2002~92AP@ANilsbBartl󤤼gGbr-nfnf-debugNX
   ׭qٷ|[HiܡH

   ڥӻ{OA̪񪺾ާ@ڨSĥΥanetfilter debugging
   CXӤe֩wOLo~]HӺlC_oӰDKl^
   Cڤ@SɶhFѨ]A]D{bάO_ҧܡCڧo
   CbFڪ{WFC [...]

   pڦb2002~919骺lWgˡAک|ݨ󥿦iY
   bugwgQ״_CpGAp󨾤DP쪺ܡAiHg`
   ethernet bridge mailinglisthݬݡC
     _________________________________________________________________

   5. 챵

   AiHqL[23]e-mailMHowto@pt.
   [24]Howto@̪D

   5.1 Ethernet-Bridge

     * [25]HӺlC
     * ΤŶAɤB: [26]Home of Linux kernel Ethernet Bridge
     * [27]Bridge-STP-HOWTO
     * [28]Firewalling for Free, Shawn Grimes

   5.2 DD

   LoHӺVAHӺ:
     * [29]ebtables, sourceforge
     * [30]ebtables, homepage at pandora.be
     * [31]ebtables, supported features
     * [32]basic,[33]advanced
     * [34]ebtables, in-depth documentation
     * [35]ebtables, Hacking HOWTO
     * IP mode, Linux Bridge extension: [36]IP mode, LVS
     * [37]High-Availability Linux
     * Linux Virtual Server: [38]LVS

References

   1. mailto:Nils.Radtke_@_Think-Future.de
   2. mailto:yintianbao@yahoo.com.cn
   3. http://www.think-future.de/DOCUMENTATION/Ethernet-Bridge-netfilter-HOWTO/other_formats/
   4. http://www.think-future.de/DOCUMENTATION/Ethernet-Bridge-netfilter-HOWTO/Ethernet-Bridge-netfilter-HOWTO.tar.gz
   5. http://www.tldp.org/docs.html#howto
   6. http://www.think-future.de/DOCUMENTATION/Ethernet-Bridge-netfilter-HOWTO_de/
   7. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#4d
   8. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#1
   9. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#2
  10. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#2a
  11. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#2b
  12. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#3
  13. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#3a
  14. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#3b
  15. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#4
  16. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#4a
  17. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#4b
  18. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#4c
  19. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#4d
  20. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#5
  21. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#5a
  22. file://localhost/var/ftp/pub/CLDP/howto-translations/mini/Ethernet+Netfilter.html#5b
  23. mailto:Ethernet-Bridge-netfilter-Howto_@_Think-Future.de
  24. http://www.Think-Future.de/
  25. http://www.math.leidenuniv.nl/pipermail/bridge/
  26. http://bridge.sourceforge.net/
  27. http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/index.html
  28. http://www.think-future.de/DOCUMENTATION/Ethernet-Bridge-netfilter-HOWTO/additional_docs/Firewalling_for_Free.pdf
  29. http://sourceforge.net/projects/ebtables
  30. http://users.pandora.be/bart.de.schuymer/ebtables/
  31. http://users.pandora.be/bart.de.schuymer/ebtables/properties.html
  32. http://users.pandora.be/bart.de.schuymer/ebtables/examples.html
  33. http://users.pandora.be/bart.de.schuymer/ebtables/battlefield_examples.html
  34. http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html
  35. http://users.pandora.be/bart.de.schuymer/ebtables/ebtables-hacking/ebtables-hacking-HOWTO.html
  36. http://www.linuxvirtualserver.org/~julian/#bridging
  37. http://www.linux-ha.org/
  38. http://www.linuxvirtualserver.org/
