Posted: Fri Feb 06, 2015 20:51 Post subject: iptables FORWARD rules not working on bridge - Request
Someone please tell me what I am doing wrong.
I have vlan1 with ports 1-5 and vlan2 with just the wan.
Wan is disabled..
Static ip on the lan with default gateway to the public ip on my modem.
This works and packets are being routed from my internal public or private nets to the modem and out.
I have public ips..
On the older routers this is the start of my firewall file and the default is to block all FORWARD so if I don't add specific rules to open ports everything is blocked.
#!/bin/sh
echo "bringing up firewall at "
date
echo " "
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
# These defaults clamp off all communication to or across the
# bridge box (we will add rules to allow some stuff through
# further down, after we bring up the bridge interface)
If I run the above on my older boxes ie wrt610n wrt54gs etc.. all outside traffic is blocked as the default forward rule is drop.. Ok so good.. I add additional rules with -A to open up ports machines etc.
If I run the same script on the newer boxes and f/w netgear r6300v2 or r7000 nothing is blocked.
It is as if the forward rules are not working at all.
Amyone have suggestions please?
Last edited by lgkahn on Tue Feb 10, 2015 18:18; edited 2 times in total
I am now trying to go back a few generations of routers to see if I can find one where it still works.
the last I had it on was a wrt610n but it is too slow with the firewall to keep up with my new 100mbit connection.. most I can get after turning off unused services and having the minimum firewall rules I need is 80meg
yes I know that is not useful to really do a firewall. as you don't know the mac etc of incoming traffic.. That is why the kernel patch that allows iptables to work at level 2 was very useful. It used to be in previous builds.. IT works on my wrt610n with version 12774
I would be willing to donate again if we can get the patch I mentioned in my posted built into the kernel.
these versions seem to be missing this is the file for the version I used on the wrt610n.. anyone know where I can find the comparable build with same kernel for the wrt400n
dd-wrt.v24-12774_big-wrt610n.bin
the kernel seems to be 2.4.37
found more about what I need
Configuring Ethernet Bridging
You'll remember from the previous two installments that in order to support iptables in bridging mode, your Linux kernel needs to be compiled with CONFIG_BRIDGE_NETFILTER=1, and your /etc/sysctl.conf file either needs to not contain any entries for the following settings or have them set to “1”:
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
can anyone recompile/build one of the newer netgear r6300v2 or netgear r7000 branches with these options for me.. Pretty please... thanks
for anyone interested the kong build 22000++ for the e4200 has the kernel compiled with netfilter enabled and the iptables firewall does work on the bridge..
the version I am running is
DD-WRT v24-sp2 (06/07/14) kingkong - build 22000M
the kernel in this version is
Linux 2.6.24.111 #620 Sat Jun 7 21:57:31 CEST 2014 mips
now if only I could find a version that works on the r6300v2 the kong version I tried does not have that kernel option as the firewall is not working on the bridge..
At lesst now I can get about 91 megabit with the e4200 with the firewall enabled.. 110 mbit without it..