[gentoo-user] is iptables needed on a Bridge

[gentoo-user] is iptables needed on a Bridge

[Ow Mun Heng]

Hi all,

	Just got a bridge setup to put in to monitor network traffic. I wonder
if there's a need to put in iptables/ebtables into it.

the bridge(br0) does not have an ip address.

-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 10:55:46 up 2 days, 23:11, 5 users, load average: 0.68,
0.51, 0.46 


-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 10:58:09 up 2 days, 23:13, 5 users, load average: 0.75,
0.56, 0.48 


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] is iptables needed on a Bridge

[Boyd Stephen Smith Jr.]

On Sunday 12 February 2006 20:58, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote 
about '[gentoo-user] is iptables needed on a Bridge':
> 	Just got a bridge setup to put in to monitor network traffic. I wonder
> if there's a need to put in iptables/ebtables into it.

While I have seen iptables rules like -i br0 -o br0 ACCEPT, I do not think 
they are necessary normally.  I know my bridge device will move traffic 
from eth0 to eth1 and vice-versa without iptables (I don't think it's even 
in my kernel).

> the bridge(br0) does not have an ip address.

That seems wrong to me, my bridge device (between the two GB eithernet 
ports on my MB) does indeed get an IP address and neither eth0/1 gets one.

Might check this out: 
http://www.headnut.org/files/linux-gentoo_bridge_guide.txt

-- 
Boyd Stephen Smith Jr.
bss03@volumehost.com
ICQ: 514984 YM/AIM: DaTwinkDaddy
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] is iptables needed on a Bridge

[Ow Mun Heng]

On Mon, 2006-02-13 at 18:38 -0600, Boyd Stephen Smith Jr. wrote:
> On Sunday 12 February 2006 20:58, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote 
> about '[gentoo-user] is iptables needed on a Bridge':
> > 	Just got a bridge setup to put in to monitor network traffic. I wonder
> > if there's a need to put in iptables/ebtables into it.
> 
> While I have seen iptables rules like -i br0 -o br0 ACCEPT, I do not think 
> they are necessary normally.  I know my bridge device will move traffic 
> from eth0 to eth1 and vice-versa without iptables (I don't think it's even 
> in my kernel).

I only asked this question because I am paranoid and when building
internet connected servers, being paranoid is a good thing(tm).

>From what I read, putting iptables/ebtables is for using the bridge as
an in-place-firewall (transparently etc).

I also wanted to know if there's a need for iptables, mainly for
security. But since there isnt' an ip addressed to br0, I would presume
that it is safe, but I thought I'll check here 1st.

> 
> > the bridge(br0) does not have an ip address.
> 
> That seems wrong to me, my bridge device (between the two GB eithernet 
> ports on my MB) does indeed get an IP address and neither eth0/1 gets one.

Yes. That's right, eth0 and eth1 don't get an ip. 
/etc/conf.d/net contains
config_eth0("null")
config_eth1("null")

I don't put an IP on the bridge (Br0) because there isn't a need for
one. What I do is put another eth card (eth2) into the mix and put a
private IP into it for SSH access and admin etc.

> Might check this out: 
> http://www.headnut.org/files/linux-gentoo_bridge_guide.txt

Have read through it (again) I believe i"ve seen this before when I was
researching bridges
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] is iptables needed on a Bridge

[Boyd Stephen Smith Jr.]

On Tuesday 14 February 2006 03:31, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote 
about 'Re: [gentoo-user] is iptables needed on a Bridge':
> On Mon, 2006-02-13 at 18:38 -0600, Boyd Stephen Smith Jr. wrote:
> > On Sunday 12 February 2006 20:58, Ow Mun Heng <Ow.Mun.Heng@wdc.com>
> > wrote
> >
> > about '[gentoo-user] is iptables needed on a Bridge':
> > > 	Just got a bridge setup to put in to monitor network traffic. I
> > > wonder if there's a need to put in iptables/ebtables into it.
>
> I only asked this question because I am paranoid and when building
> internet connected servers, being paranoid is a good thing(tm).

Agreed.

If you /do/ want to do packet filtering on br0, I belive you can with 
iptables.  A rule with in the filter table on the FORWARDING chain with -i 
br0 -o br0 should match.  You could also do some logging this way.

> I also wanted to know if there's a need for iptables, mainly for
> security. But since there isnt' an ip addressed to br0, I would presume
> that it is safe, but I thought I'll check here 1st.

I really can't answer the safety issue.  From my understanding packets 
coming in br0 and be delivered locally, even when br0 doesn't have an IP 
address (and similarly with sending packets out br0) so I don't think not 
having an IP address really buys you any safety.

That said, I'm a newbie or worse when it comes to these issues.  I've just 
recently started learning iptables.

> > > the bridge(br0) does not have an ip address.
> >
> > That seems wrong to me, my bridge device (between the two GB eithernet
> > ports on my MB) does indeed get an IP address and neither eth0/1 gets
> > one.
>
> Yes. That's right, eth0 and eth1 don't get an ip.
> /etc/conf.d/net contains
> config_eth0("null")
> config_eth1("null")
>
> I don't put an IP on the bridge (Br0) because there isn't a need for
> one. What I do is put another eth card (eth2) into the mix and put a
> private IP into it for SSH access and admin etc.

Okay; I use my br0 as my connection to the local network, so I do assign a 
(sDHCP) address to it.

-- 
Boyd Stephen Smith Jr.
bss03@volumehost.com
ICQ: 514984 YM/AIM: DaTwinkDaddy
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] is iptables needed on a Bridge

[Hans-Werner Hilse]

Hi,

On Tue, 14 Feb 2006 05:43:33 -0600
"Boyd Stephen Smith Jr." <bss03@volumehost.com> wrote:

> On Tuesday 14 February 2006 03:31, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote 
> about 'Re: [gentoo-user] is iptables needed on a Bridge':
> > [...]
>
> If you /do/ want to do packet filtering on br0, I belive you can with 
> iptables.  A rule with in the filter table on the FORWARDING chain with -i 
> br0 -o br0 should match.  You could also do some logging this way.

Nah, bridging is ethernet layer, not IP layer. So it will work using
ebtables, not iptables.

OTOH, when building a bridge, it usually doesn't make much sense to set
up lots of rules for security's sake, but rather in order to reduce
chattiness between the bridged networks (one may want to filter
broadcasts and other noisy stuff).

> > I also wanted to know if there's a need for iptables, mainly for
> > security. But since there isnt' an ip addressed to br0, I would presume
> > that it is safe, but I thought I'll check here 1st.
> 
> I really can't answer the safety issue.  From my understanding packets 
> coming in br0 and be delivered locally, even when br0 doesn't have an IP 
> address (and similarly with sending packets out br0) so I don't think not 
> having an IP address really buys you any safety.

It certainly does, but OTOH, the OP wrote he'll set up a third ethernet
adapter for connecting to the bridging machine, so iptables may make
sense on that interface.

The FORWARD chain of iptables is only for forwarding IP packets (heh,
it's obvious, isn't it? :-), i.e. when building a router. Well, I think
it should be possible to redirect bridged packets to the local host in
order to let them go through routing, but this seems to be a little
cludgy, because the same thing probably can be archieved by using
proxy_arp in the first place, which would save us from using
promiscuous mode...

-hwh
-- 
gentoo-user@gentoo.org mailing list