iptables bridging firewall

SuperTimmy · 03-27-2006, 08:10 AM

Hello,

I am running Debian Sarge with kernel 2.6.9 and have set up a bridge between eth2 (inet) & eth1 (lan) using the bridge-tools package.

I am trying to use iptables to limit the number of outbound ICMP connections initiated from within the bridged network while allowing all inbound traffic to continue to pass through.

I modified slightly the honeynet projects rc.firewall and have got:

iptables -A FORWARD -p icmp -m physdev --physdev-out eth2 -m state --state NEW -m limit --limit 10/hour --limit-burst 10 -s 192.168.1.10 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.10 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out eth2 -j DROP

Using the above rules I can ping the router from inside the bridge ten times before it begins to timeout, which is perfect. The problem comes when I try and ping from outside of the bridge in, all pings come back Request Timed Out regardless of wether the limit has been met.

How do I allow all incoming connections while blocking outgoing ones?

Help would be greatly appreciated.

SuperTimmy

batty_professor · 04-01-2006, 10:53 PM

The firewall should have a block for ping returns. If the block is on it will do as you see. The system may be working as you expect, but be blocking the ping returns. The ping block only stops incoming ping requests. I may be wrong too. but I would look for this.

03-27-2006, 08:10 AM	#1 (permalink)
SuperTimmy Registered User Join Date: Mar 2006 Posts: 1 OS: Debian	iptables bridging firewall Hello, I am running Debian Sarge with kernel 2.6.9 and have set up a bridge between eth2 (inet) & eth1 (lan) using the bridge-tools package. I am trying to use iptables to limit the number of outbound ICMP connections initiated from within the bridged network while allowing all inbound traffic to continue to pass through. I modified slightly the honeynet projects rc.firewall and have got: iptables -A FORWARD -p icmp -m physdev --physdev-out eth2 -m state --state NEW -m limit --limit 10/hour --limit-burst 10 -s 192.168.1.10 -j ACCEPT iptables -A FORWARD -m physdev --physdev-in eth2 -d 192.168.1.10 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth2 -j DROP Using the above rules I can ping the router from inside the bridge ten times before it begins to timeout, which is perfect. The problem comes when I try and ping from outside of the bridge in, all pings come back Request Timed Out regardless of wether the limit has been met. How do I allow all incoming connections while blocking outgoing ones? Help would be greatly appreciated. SuperTimmy

04-01-2006, 10:53 PM	#2 (permalink)
batty_professor Asst. Manager, Alternative Computing Forums Join Date: Jul 2004 Location: Hooterville Il 45 mi. east of St. Louis mo Posts: 2,608 OS: Fedora Core 5 for now	The firewall should have a block for ping returns. If the block is on it will do as you see. The system may be working as you expect, but be blocking the ping returns. The ping block only stops incoming ping requests. I may be wrong too. but I would look for this. __________________ It's better to know me and not need me than to need me and not know me. B. While users are never under any obligation, if you feel the urge please feel free to visit our donation page. Every little bit helps. And we thank you for your support. Microsoft free Registered Linux user 397458