Transparent Firewall on a PPPoE Bridge
by WinFree from LinuxQuestions.org on (#5QCQM)
Hi,
I have a fibre to Ethernet converter from my ISP connected to a Ethernet router.
The IP packets between the router the fibre/ethernet converter are encapsulated in PPPoE packets.
I setup a Slackware 14.2 box with 2 ethernet ports between the fibre/ethernet converter and the router.
The configuration is as follows:
brctl addbr br0
brctl addif br0 eth0 eth1
ifconfig br0 up
If I use tcpdump on eth0 and eth1 I can see the PPPoE packets.
I would like to setup a transparent firewall on the Slackware box. br0, eth0 and eth1 are not assigned an IP address and there in no routing table (except for the lo interface). I currently have no entries in iptables and the default policy for INPUT, OUTPUT and FORWARD is ACCEPT.
My understanding from https://ebtables.netfilter.org/docum...bridge-nf.html is that the br_netfilter module with bridge-nf-filter-pppoe-tagged enabled will allow me to use iptables to filter the PPPoE traffic.
I start a ping from a computer on the network behind the router.
If I run "echo 1 > bridge-nf-filter-pppoe-tagged" in /proc/sys/net/bridge then all PPPoE traffic to the fibre/ethernet router is dropped.
"echo 0 > bridge-nf-filter-pppoe-tagged" is required to allow traffic to pass again.
The iptables configuration is not followed and all packets from the router are dropped with "echo 1 > bridge-nf-filter-pppoe-tagged".
I am missing something?
How do I all the default pppoe traffic to flow with bridge-nf-filter-pppoe-tagged enabled and get the iptables rules to be followed (if any)?
I have a fibre to Ethernet converter from my ISP connected to a Ethernet router.
The IP packets between the router the fibre/ethernet converter are encapsulated in PPPoE packets.
I setup a Slackware 14.2 box with 2 ethernet ports between the fibre/ethernet converter and the router.
The configuration is as follows:
brctl addbr br0
brctl addif br0 eth0 eth1
ifconfig br0 up
If I use tcpdump on eth0 and eth1 I can see the PPPoE packets.
I would like to setup a transparent firewall on the Slackware box. br0, eth0 and eth1 are not assigned an IP address and there in no routing table (except for the lo interface). I currently have no entries in iptables and the default policy for INPUT, OUTPUT and FORWARD is ACCEPT.
My understanding from https://ebtables.netfilter.org/docum...bridge-nf.html is that the br_netfilter module with bridge-nf-filter-pppoe-tagged enabled will allow me to use iptables to filter the PPPoE traffic.
I start a ping from a computer on the network behind the router.
If I run "echo 1 > bridge-nf-filter-pppoe-tagged" in /proc/sys/net/bridge then all PPPoE traffic to the fibre/ethernet router is dropped.
"echo 0 > bridge-nf-filter-pppoe-tagged" is required to allow traffic to pass again.
The iptables configuration is not followed and all packets from the router are dropped with "echo 1 > bridge-nf-filter-pppoe-tagged".
I am missing something?
How do I all the default pppoe traffic to flow with bridge-nf-filter-pppoe-tagged enabled and get the iptables rules to be followed (if any)?