Ebtables: Difference between revisions
Content deleted Content added
mNo edit summary |
|||
| (10 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
= Firewalling with Ethernet Tables = |
= Firewalling with Ethernet Tables = |
||
On AAISP I have decided to run a NAT-free home network |
On AAISP I have decided to run a NAT-free home network. |
||
Some devices I have allow all IP addresses to control them, but also need internet access for some functionality |
|||
In addition to all that, I assigned v4 addresses dynamically to conserve the address space. |
In addition to all that, I assigned v4 addresses dynamically to conserve the address space. |
||
| Line 14: | Line 15: | ||
== /etc/network/interfaces == |
== /etc/network/interfaces == |
||
Valid if eth0.20 used |
Valid if eth0.20 used IEEE’s example of [http://standards.ieee.org/develop/regauth/tut/eui48.pdf AC-DE-48-23-45-67] |
||
iface int0 inet static |
iface int0 inet static |
||
| Line 23: | Line 24: | ||
up /sbin/ifconfig int0 add fe80::aede:48ff:fe23:4567/64 |
up /sbin/ifconfig int0 add fe80::aede:48ff:fe23:4567/64 |
||
up /sbin/ifconfig int0 add 2001:db8:cafe:1:aede:48ff:fe23:4567/64 |
up /sbin/ifconfig int0 add 2001:db8:cafe:1:aede:48ff:fe23:4567/64 |
||
# Optional: make use of the full capability of my Gigabit ethernet switch, by using the maximum possible MTU. |
|||
pre-up /sbin/ifconfig eth0 mtu 7200 || true |
|||
pre-up /sbin/vconfig add eth0 20 || true |
|||
pre-up /sbin/ifconfig eth0.20 mtu 7200 || true |
|||
bridge_ports eth0.20 |
bridge_ports eth0.20 |
||
bridge_stp off |
bridge_stp off |
||
| Line 41: | Line 46: | ||
== In /etc/sysctl.conf == |
== In /etc/sysctl.conf == |
||
net.bridge.bridge-nf-call-arptables=0 |
net.bridge.bridge-nf-call-arptables=0 |
||
net.bridge.bridge-nf-call-ip6tables=0 |
net.bridge.bridge-nf-call-ip6tables=0 |
||
net.bridge.bridge-nf-call-iptables=0 |
net.bridge.bridge-nf-call-iptables=0 |
||
= Ebtables and IPtables rules = |
= Ebtables and IPtables rules = |
||
| Line 60: | Line 65: | ||
# first let’s do some accounting. |
# first let’s do some accounting. |
||
# These rules need only match, not do anything, as we are interested in the |
# These rules need only match, not do anything, as we are interested in the ebtables accounting data. |
||
ebtables -N accounting -P RETURN |
ebtables -N accounting -P RETURN |
||
ebtables -A accounting --destination AC:DE:48:23:45:67/ff:ff:ff:ff:ff:ff |
ebtables -A accounting --destination AC:DE:48:23:45:67/ff:ff:ff:ff:ff:ff |
||
| Line 82: | Line 87: | ||
# mark incoming data so that we can account it. |
# mark incoming data so that we can account it. |
||
# The iptables rules should work also with a default DROP target but then additional lines are needed to pass the data that is needed. |
|||
iptables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET |
iptables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET |
||
ip6tables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET |
|||
== Accounting == |
|||
To save the accounting data, |
|||
I used a script called out from /etc/cron.hourly and will end up with a directory tree with accounting data that resembles that from AAISP’s clueless pages but broken down by MAC address. If I had [[Ethernet over ADSL]] then the ISP might do this step instead. Old data may need to be rotated away from the output area eventually though. |
|||
#!/bin/bash |
|||
MYTIME=`date +%s` |
|||
DIR=`date -d @$MYTIME +/var/local/ebacct/%Y-%m-%d/%H -u` |
|||
PARA= |
|||
if test -n "$(mkdir -pv $DIR)" |
|||
then |
|||
PARA=-Z |
|||
DIR=`date -d @$(( $MYTIME - 3600 )) +/var/local/ebacct/%Y-%m-%d/%H -u` |
|||
fi |
|||
while read F MAC N N N N N PACKET N N N OCTETS N |
|||
do |
|||
if test "$F" = "-d" |
|||
then |
|||
PT=$DIR/${MAC:0:2}${MAC:3:2}${MAC:6:2}${MAC:9:2}${MAC:12:2}${MAC:15:2} |
|||
mkdir -p $PT |
|||
echo $PACKET > $PT/packets |
|||
echo $OCTETS > $PT/octets |
|||
fi |
|||
done <<<"$(ebtables -L accounting --Lc --Lmac2 $PARA)" |
|||
[[Category:3rd Party Routers]] |
|||