> Could you provide a sample of your rules? # iptables -t filter -A FORWARD -d MY.DSK.BOX -j DROP # iptables -t filter -A FORWARD -s MY.DSK.BOX -j DROP > Are you dropping in and outbound traffic? That's what I want to do! :) > Are you using bro as a vpn server and encrypting the traffic? No. > Are you using policy based routing? Etc. No. More information is always better :) Agree!!! This is a brain-dead test to stop traffic between (to and from) MY.DSK.BOX and MY.TST.BOX using MY.BR0.BOX as a transparent bridge. MY.BR0.BOX will not even be (when deployed) in the same subnet as MY.DSK.BOX and MY.TST.BOX. Thanks! ET > On Dec 17, 2014 6:37 AM, "Mike Ballon" wrote: > >> Have you tried "--mac-source"? >> >> ie: iptables -A INPUT -m mac –mac-source the:mac:address: -j DROP >> >> On Wed, Dec 17, 2014 at 7:48 AM, wrote: >>> >>> Hello World: >>> This is the scenario: >>> MY.DSK.BOX (eth0) <=> (eth?) MY.BR0.BOX (eth?) <=> MY.TST.BOX (eth0) >>> I want to use iptables to stop unwanted traffic to traverse MY.BR0.BOX. >>> MY.DSK.BOX and MY.TST.BOX are in the same subnet. >>> The IP/subnet of MY.BR0.BOX is irrelevant because MY.BR0.BOX is invisible >>> to the 'functional' network. >>> Yes, this WORKS (it is working now), and I can not make MY.BR0.BOX >>> visible to the network because of more reasons that I have time to write >>> about. >>> >>> WHAT I WANT: >>> GOOD packets are allowed to traverse MY.BR0.BOX back and forth without >>> further restrictions. >>> BAD packets to/from MY.DSK.BOX to/from MY.TST.BOX are dropped at >>> MY.BR0.BOX >>> So far I have been able to drop the traffic in only one direction, but >>> not both... :( >>> Bridge definition below: >>> Thanks! >>> ET >>> >>> >>> >>> >>> # This file describes the network interfaces available on your system >>> # and how to activate them. For more information, see interfaces(5). >>> # The loopback network interface >>> auto lo >>> iface lo inet loopback >>> # The primary network interface >>> allow-hotplug eth0 >>> # iface eth0 inet dhcp >>> iface eth0 inet manual >>> # The primary network interface >>> allow-hotplug eth1 >>> # iface eth1 inet dhcp >>> iface eth1 inet manual >>> # Bridge setup >>> auto br0 >>> iface br0 inet dhcp >>> bridge_ports eth0 eth1 >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss