<p dir="ltr">Could you provide a sample of your rules? Are you dropping in and outbound traffic? Are you using bro as a vpn server and encrypting the traffic? Are you using policy based routing? Etc. More information is always better :)</p>
<div class="gmail_quote">On Dec 17, 2014 6:37 AM, "Mike Ballon" <<a href="mailto:mike.ballon@gmail.com">mike.ballon@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Have you tried "--mac-source"?<div><br></div><div>ie: iptables -A INPUT -m mac –mac-source the:mac:address: -j DROP</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 17, 2014 at 7:48 AM, <span dir="ltr"><<a href="mailto:kitepilot@kitepilot.com" target="_blank">kitepilot@kitepilot.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello World: <br>
This is the scenario:<br>
MY.DSK.BOX (eth0) <=> (eth?) MY.BR0.BOX (eth?) <=> MY.TST.BOX (eth0) <br>
I want to use iptables to stop unwanted traffic to traverse MY.BR0.BOX.<br>
MY.DSK.BOX and MY.TST.BOX are in the same subnet.<br>
The IP/subnet of MY.BR0.BOX is irrelevant because MY.BR0.BOX is invisible to the 'functional' network.<br>
Yes, this WORKS (it is working now), and I can not make MY.BR0.BOX visible to the network because of more reasons that I have time to write about. <br>
<br>
WHAT I WANT:<br>
GOOD packets are allowed to traverse MY.BR0.BOX back and forth without further restrictions.<br>
BAD packets to/from MY.DSK.BOX to/from MY.TST.BOX are dropped at MY.BR0.BOX <br>
So far I have been able to drop the traffic in only one direction, but not both... :(<br>
Bridge definition below:<br>
Thanks!<br>
ET <br>
<br>
<br>
<br>
<br>
# This file describes the network interfaces available on your system<br>
# and how to activate them. For more information, see interfaces(5). <br>
# The loopback network interface<br>
auto lo<br>
iface lo inet loopback <br>
# The primary network interface<br>
allow-hotplug eth0<br>
# iface eth0 inet dhcp<br>
iface eth0 inet manual <br>
# The primary network interface<br>
allow-hotplug eth1<br>
# iface eth1 inet dhcp<br>
iface eth1 inet manual <br>
# Bridge setup<br>
auto br0<br>
iface br0 inet dhcp<br>
bridge_ports eth0 eth1<br>
------------------------------<u></u>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<u></u>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<u></u>mailman/listinfo/plug-discuss</a><br>
</blockquote></div></div>
<br>---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br></blockquote></div>