Slackware 14.0 - Installing ebtables (with epkg) ================================================ Public domain ******************************************************************************** ### Installation cd /usr/src wget -c "http://pmoghadam.com/homepage/Pages/Deposit/Source-packages/ebtables-v2.0.10-4.tar.gz" su - install cd /usr/src tar xf ebtables-v2.0.10-4.tar.gz cd ebtables-v2.0.10-4 sed -i -e 's,-Werror,,g' Makefile make sed -ie 's,-o root -g root,,' Makefile mkdir -p /usr/local/encap/ebtables-v2.0.10-4/etc/rc.d/init.d/ mkdir -p /usr/local/encap/ebtables-v2.0.10-4/etc/sysconfig/ make install DESTDIR=/usr/local/encap/ebtables-v2.0.10-4 cd /usr/local/encap/ebtables-v2.0.10-4/ mv usr/local/man/ usr/ cd /usr/local/encap/ mkencap ebtables-v2.0.10-4/ logout cd /usr/local/encap/ epkg ebtables-v2.0.10-4 ******************************************************************************** ### Example 1 ebtables -t filter -A FORWARD -o eth1 -p IPv4 --ip-proto UDP --ip-dst 192.168.1.10 -j mark --set-mark 0x23 --mark-target ACCEPT ******************************************************************************** ### Example 2 ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.34.75.0/24 -j ACCEPT ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.34.75.0/24 -j ACCEPT ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.34.75.0/24 -j ACCEPT #ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.103.20.73 -j DROP #ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.103.20.73 -j DROP ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.103.20.72/29 -j redirect --redirect-target DROP ******************************************************************************** ### Example 3 # Flush table ebtables -t broute -F # ExCLUDES for NET in $EXCLUDES; do ebtables -t broute -I BROUTING -p ipv4 --ip-src $NET -j ACCEPT ebtables -t broute -I BROUTING -p ipv4 --ip-dst $NET -j ACCEPT done # Cache redirect ebtables -t broute -A BROUTING -i ${INTIF} -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i ${EXTIF} -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP # Show rules ebtables -t broute -L --Ln --Lc ******************************************************************************** ### Example 4 #!/bin/bash ebtables -t broute -F ebtables -t nat -F ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.103.20.73 -j DROP ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.103.20.73 -j DROP ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.103.20.72/29 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.1.1.1 -j DROP ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.1.1.1 -j DROP ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.1.1.0/30 -j redirect --redirect-target DROP ******************************************************************************** ### Example 5 #!/bin/bash /usr/local/sbin/ebtables -t nat -F /usr/local/sbin/ebtables -t nat -A PREROUTING -i eth0 -p ipv4 --ip-dst 85.185.16.144/28 -d broadcast -j dnat --to-destination 00:26:5a:81:4d:6b --dnat-target CONTINUE /usr/local/sbin/ebtables -t nat -A PREROUTING -i eth0 -p ipv4 -j redirect --redirect-target ACCEPT /usr/local/sbin/ebtables -t broute -F #/usr/local/sbin/ebtables -t broute -A BROUTING -i eth0 -p arp --arp-ip-dst 85.185.16.144/28 -j ACCEPT /usr/local/sbin/ebtables -t broute -A BROUTING -i eth0 -p ipv4 -d broadcast --ip-dst 85.185.16.144/28 -j ACCEPT /usr/local/sbin/ebtables -t broute -A BROUTING -i eth0 -j DROP brctl addbr br0 brctl addif br0 eth0 ifconfig br0 up ******************************************************************************** ### Example 6 #!/bin/bash PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin" ebtables -t broute -F ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-source 217.218.228.239 -j ACCEPT ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-destination 217.218.228.239 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -j DROP ebtables -t nat -F ebtables -t nat -A POSTROUTING -o eth0 -p ipv4 --ip-source 217.218.228.239 -j snat --to-source ff:ff:ff:ff:ff:ff --snat-target DROP brctl addbr br0 &> /dev/null brctl addif br0 eth0 &> /dev/null brctl addif br0 eth1 &> /dev/null ifconfig br0 up ******************************************************************************** ### Example 7 #!/bin/bash PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin" INETSIDE="eth0" USERSIDE="eth1" NETWORK="27.162.179.134" ebtables -t broute -F ebtables -t broute -A BROUTING -i $INETSIDE -p arp --arp-ip-dst $NETWORK -j ACCEPT ebtables -t broute -A BROUTING -i $USERSIDE -p arp --arp-ip-src $NETWORK -j ACCEPT ebtables -t broute -A BROUTING -i $INETSIDE -p ipv4 --ip-destination $NETWORK -j ACCEPT ebtables -t broute -A BROUTING -i $USERSIDE -p ipv4 --ip-source $NETWORK -j ACCEPT ebtables -t broute -A BROUTING -j DROP brctl addbr br0 &> /dev/null brctl addif br0 $INETSIDE &> /dev/null brctl addif br0 $USERSIDE &> /dev/null ifconfig br0 up ******************************************************************************** ### Example 8 #!/bin/bash PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin" ebtables -t nat -F ebtables -t nat -A PREROUTING -i eth0 -j dnat --to-destination 00:18:f3:1f:57:f4 --dnat-target CONTINUE ebtables -t nat -A PREROUTING -i eth0 -p ipv4 -j redirect --redirect-target ACCEPT ebtables -t broute -F ebtables -t broute -A BROUTING -i eth0 -p ipv4 -d broadcast -j DROP ebtables -t broute -A BROUTING -i eth0 -p ipv4 -d ! 00:18:f3:1f:57:f4 -j ACCEPT ebtables -t broute -A BROUTING -i eth0 -j DROP brctl addbr br0 brctl addif br0 eth0 ifconfig br0 up ******************************************************************************** ### Example 9 #!/bin/bash INETSIDE="eth0" USERSIDE="eth1" # Create bridge brctl addbr br0 &> /dev/null brctl addif br0 $INETSIDE &> /dev/null brctl addif br0 $USERSIDE &> /dev/null ifconfig br0 up # Flush previous rules ebtables -t broute -F BROUTING # Policy ebtables -t broute -A BROUTING -i $INETSIDE -j DROP ebtables -t broute -A BROUTING -i $USERSIDE -j DROP # Outgoing ebtables -t broute -I BROUTING -i $USERSIDE -p arp --arp-ip-src 27.162.160.252 -j ACCEPT ebtables -t broute -I BROUTING -i $USERSIDE -p ip --ip-src 27.162.160.252 -j ACCEPT # Incoming ebtables -t broute -I BROUTING -i $INETSIDE -p arp --arp-ip-dst 27.162.160.252 -j ACCEPT ebtables -t broute -I BROUTING -i $INETSIDE -p ip --ip-dst 27.162.160.252 -j ACCEPT ******************************************************************************** ### Status ebtables -t filter -L --Lc brctl showstp br0 tc class show dev eth0 ; tc class show dev eth1 tc filter show dev eth0 ; tc filter show dev eth1 tc -s class ls dev eth0 ; tc -s class ls dev eth1 ******************************************************************************** _BY: Pejman Moghadam_ _TAG: ebtables, broute, epkg_ _DATE: 2013-01-23 12:45:38_