12,270
edits
Ebtables: Difference between revisions
m
no edit summary
(Created page with "= Firewalling with Ethernet Tables = On AAISP I have decided to run a NAT-free home network, but some recent additions to the network need both internet access to function at t...") |
mNo edit summary |
||
| (11 intermediate revisions by 2 users not shown) | |||
|
= Firewalling with Ethernet Tables =
On AAISP I have decided to run a NAT-free home network
Some devices I have allow all IP addresses to control them, but also need internet access for some functionality
In addition to all that, I assigned v4 addresses dynamically to conserve the address space.
== /etc/network/interfaces ==
Valid if eth0.20 used
iface int0 inet static
up /sbin/ifconfig int0 add fe80::aede:48ff:fe23:4567/64
up /sbin/ifconfig int0 add 2001:db8:cafe:1:aede:48ff:fe23:4567/64
# Optional: make use of the full capability of my Gigabit ethernet switch, by using the maximum possible MTU.
pre-up /sbin/ifconfig eth0 mtu 7200 || true
pre-up /sbin/vconfig add eth0 20 || true
pre-up /sbin/ifconfig eth0.20 mtu 7200 || true
bridge_ports eth0.20
bridge_stp off
It is also possible to do this directly with brctl if you run a GNU/Linux system that has not got /etc/network/interfaces
I had also disabled the callout of iptables from within ebtables via sysctl at this point
The feature seems to be broken in Linux 2.6.32-5-amd64 causing IPv6’s address resolution to break amongst other things.
IP6tables is still working independently.
== In /etc/sysctl.conf ==
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
= Ebtables and IPtables rules =
# first let’s do some accounting.
# These rules need only match, not do anything, as we are interested in the
ebtables -N accounting -P RETURN
ebtables -A accounting --destination AC:DE:48:23:45:67/ff:ff:ff:ff:ff:ff
# mark incoming data so that we can account it.
# The iptables rules should work also with a default DROP target but then additional lines are needed to pass the data that is needed.
iptables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET
ip6tables -A FORWARD -i ppp0 -o int0 -j MARK --or-mark $MINET
== Accounting ==
To save the accounting data,
I used a script called out from /etc/cron.hourly and will end up with a directory tree with accounting data that resembles that from AAISP’s clueless pages but broken down by MAC address. If I had [[Ethernet over ADSL]] then the ISP might do this step instead. Old data may need to be rotated away from the output area eventually though.
#!/bin/bash
MYTIME=`date +%s`
DIR=`date -d @$MYTIME +/var/local/ebacct/%Y-%m-%d/%H -u`
PARA=
if test -n "$(mkdir -pv $DIR)"
then
PARA=-Z
DIR=`date -d @$(( $MYTIME - 3600 )) +/var/local/ebacct/%Y-%m-%d/%H -u`
fi
while read F MAC N N N N N PACKET N N N OCTETS N
do
if test "$F" = "-d"
then
PT=$DIR/${MAC:0:2}${MAC:3:2}${MAC:6:2}${MAC:9:2}${MAC:12:2}${MAC:15:2}
mkdir -p $PT
echo $PACKET > $PT/packets
echo $OCTETS > $PT/octets
fi
done <<<"$(ebtables -L accounting --Lc --Lmac2 $PARA)"
[[Category:3rd Party Routers]]
| |||