Ebtables: Difference between revisions

← Older edit

Ebtables (view source)

Revision as of 09:36, 25 February 2015

1,447 bytes added , 25 February 2015

m

no edit summary

AA-Andrew

autoreview, Bureaucrats, editor, Interface administrators, reviewer, Administrators

12,270

edits

Revision as of 15:16, 2 October 2011 (view source) Michael (talk \| contribs) (→‎/etc/network/interfaces) ← Older edit		Latest revision as of 09:36, 25 February 2015 (view source) AA-Andrew (talk \| contribs) mNo edit summary
(10 intermediate revisions by 2 users not shown)
= Firewalling with Ethernet Tables = On AAISP I have decided to run a NAT-free home network~~, but some recent additions to the network need both internet access to function at the same time as any IPv4 address that can access them to control them~~. Some devices I have allow all IP addresses to control them, but also need internet access for some functionality In addition to all that, I assigned v4 addresses dynamically to conserve the address space. == /etc/network/interfaces == Valid if eth0.20 used ~~IEEE's~~IEEE’s example of [http://standards.ieee.org/develop/regauth/tut/eui48.pdf AC-DE-48-23-45-67] iface int0 inet static up /sbin/ifconfig int0 add fe80::aede:48ff:fe23:4567/64 up /sbin/ifconfig int0 add 2001:db8:cafe:1:aede:48ff:fe23:4567/64 # Optional: make use of the full capability of my Gigabit ethernet switch, by using the maximum possible MTU. pre-up /sbin/ifconfig eth0 mtu 7200 \|\| true pre-up /sbin/vconfig add eth0 20 \|\| true pre-up /sbin/ifconfig eth0.20 mtu 7200 \|\| true bridge_ports eth0.20 bridge_stp off == In /etc/sysctl.conf == net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 = Ebtables and IPtables rules = # first let’s do some accounting. # These rules need only match, not do anything, as we are interested in the ~~[[Ebtables~~ebtables ~~counters]]~~accounting data. ebtables -N accounting -P RETURN ebtables -A accounting --destination AC:DE:48:23:45:67/ff:ff:ff:ff:ff:ff # mark incoming data so that we can account it. # The iptables rules should work also with a default DROP target but then additional lines are needed to pass the data that is needed. iptables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET ip6tables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET == Accounting == To save the accounting data, I used a script called out from /etc/cron.hourly and will end up with a directory tree with accounting data that resembles that from AAISP’s clueless pages but broken down by MAC address. If I had [[Ethernet over ADSL]] then the ISP might do this step instead. Old data may need to be rotated away from the output area eventually though. #!/bin/bash MYTIME=`date +%s` DIR=`date -d @$MYTIME +/var/local/ebacct/%Y-%m-%d/%H -u` PARA= if test -n "$(mkdir -pv $DIR)" then PARA=-Z DIR=`date -d @$(( $MYTIME - 3600 )) +/var/local/ebacct/%Y-%m-%d/%H -u` fi while read F MAC N N N N N PACKET N N N OCTETS N do if test "$F" = "-d" then PT=$DIR/${MAC:0:2}${MAC:3:2}${MAC:6:2}${MAC:9:2}${MAC:12:2}${MAC:15:2} mkdir -p $PT echo $PACKET > $PT/packets echo $OCTETS > $PT/octets fi done <<<"$(ebtables -L accounting --Lc --Lmac2 $PARA)" [[Category:3rd Party Routers]]