初识ebtables1.What is ebtables?
The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included. The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.
Ebtables即是以太网桥防火墙,以太网桥工作在数据链路层,Ebtables来过滤数据链路层数据包。 2.6内核内置了Ebtables,要使用它必须先安装Ebtables的用户空间工具(ebtables-v2.0.6),安装完成后就可以使用ebtables来过滤网桥的数据包。 参照用户实际要求,设置ebtables规则如下: 1:对所有的数据包默认通过
2. Main features of ebtables.
3.What is bridge-netfilter?
The bridge-netfilter code enables the following functionality:
4. How to config on ebtables and do ebtables work? §
Ebtables使用规则如下: ebtables [-t table] -[ADI] chain rule-specification [match-extensions] [watcher-extensions] -t table :一般为FORWARD链。 -ADI:A添加到现有链的末尾;D删除规则链(必须指明规则链号);I插入新的规则链(必须指明规则链号)。 -P:规则表的默认规则的设置。可以DROP,ACCEPT,RETURN。 -F:对所有的规则表的规则链清空。 -L:指明规则表。可加参数,--Lc,--Ln -p:指明使用的协议类型,ipv4,arp等可选(使用时必选)详情见/etc/ethertypes --ip-proto:IP包的类型,1为ICMP包,6为TCP包,17为UDP包,在/etc/protocols下有详细说明 --ip-src:IP包的源地址 --ip-dst:IP包的目的地址 --ip-sport:IP包的源端口 --ip-dport:IP包的目的端口 -i:指明从那片网卡进入 -o:指明从那片网卡出去 /***********************************************************************************/ 简单配置规则如下: #!/bin/bash echo "The ebtables start !" ebtables -P FORWARD ACCEPT ebtables -P INPUT ACCEPT ebtables -P OUTPUT ACCEPT ebtables -F ebtables -A FORWARD -p ipv4 -i eth0/eth1 --ip-proto (6/17) --ip-dst(目的IP) --ip-dport(目的端口) -j DROP ebtables -A FPRWARD -p ipv4 -i eth0/eth1 --ip-proto (7/17) --ip-src(源IP) --ip-sport(源端口) -j DROP
reference: http://ebtables./ |
|