On Thursday 19 June 2003 10:52, btt wrote:
> Well, where I'm at now is this:
>
> (internet)--(ISP Router)--1(linux router)2--/switch/--(public net)
> 0\
> \-(nat, priv net)
>
> where eth1 & eth2 are bound to the bridge interface br0
>
> Everything works fine, but I've found no way to inspect packets with
> iptables/netfilter based on destination IP address. I found a patch
> from the bridge.sourceforge.net site and applied it, but haven't had a
> chance to reboot and re-set-up everything. But it claims to work, so
> we'll see.
As the bridging happens *before* your firewall's IP stack gets ahold of the
frames, all "external" traffic will show up on the "internal" network.
Moreover, ALL IP TRAFFIC WILL BE DOUBLED. Think of a one-armed router, and
you get the idea. Both segments will see all ethernet traffic coming in *and*
going out.
Bridging and IP typically don't mix.. unless you're looking for something like
a brouter (or IP switch).
What you really want to use is ebtables:
http://ebtables.sourceforge.net/
This way, you can bridge the traffic you wish to pass through (ie, IPX, LAT,
Appletalk, other) based on MAC ACLs and IP route traffic without letting the
ethernet frames "leak" through to both sides.
If you're only using IP, there's no real need to bridge here (that I can see).
Perhaps I'm just not getting your ASCII diagrams or description of the
problem you're trying to solve.
-- - Ian C. Blenke <icblenke@nks.net>(This message bound by the following: http://www.nks.net/email_disclaimer.html)
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:03:17 EDT