Public domain
cd /usr/src
wget -c "http://pmoghadam.com/homepage/Pages/Deposit/Source-packages/ebtables-v2.0.10-4.tar.gz"
su - install
cd /usr/src
tar xf ebtables-v2.0.10-4.tar.gz
cd ebtables-v2.0.10-4
sed -i -e 's,-Werror,,g' Makefile
make
sed -ie 's,-o root -g root,,' Makefile
mkdir -p /usr/local/encap/ebtables-v2.0.10-4/etc/rc.d/init.d/
mkdir -p /usr/local/encap/ebtables-v2.0.10-4/etc/sysconfig/
make install DESTDIR=/usr/local/encap/ebtables-v2.0.10-4
cd /usr/local/encap/ebtables-v2.0.10-4/
mv usr/local/man/ usr/
cd /usr/local/encap/
mkencap ebtables-v2.0.10-4/
logout
cd /usr/local/encap/
epkg ebtables-v2.0.10-4
ebtables -t filter -A FORWARD -o eth1 -p IPv4 --ip-proto UDP --ip-dst 192.168.1.10 -j mark --set-mark 0x23 --mark-target ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.34.75.0/24 -j ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.34.75.0/24 -j ACCEPT
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.34.75.0/24 -j ACCEPT
#ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.103.20.73 -j DROP
#ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.103.20.73 -j DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.103.20.72/29 -j redirect --redirect-target DROP
# Flush table
ebtables -t broute -F
# ExCLUDES
for NET in $EXCLUDES; do
ebtables -t broute -I BROUTING -p ipv4 --ip-src $NET -j ACCEPT
ebtables -t broute -I BROUTING -p ipv4 --ip-dst $NET -j ACCEPT
done
# Cache redirect
ebtables -t broute -A BROUTING -i ${INTIF} -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i ${EXTIF} -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP
# Show rules
ebtables -t broute -L --Ln --Lc
#!/bin/bash
ebtables -t broute -F
ebtables -t nat -F
ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.103.20.73 -j DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.103.20.73 -j DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.103.20.72/29 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth1 -p arp --arp-ip-dst 10.1.1.1 -j DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-dst 10.1.1.1 -j DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-src 10.1.1.0/30 -j redirect --redirect-target DROP
#!/bin/bash
/usr/local/sbin/ebtables -t nat -F
/usr/local/sbin/ebtables -t nat -A PREROUTING -i eth0 -p ipv4 --ip-dst 85.185.16.144/28 -d broadcast -j dnat --to-destination 00:26:5a:81:4d:6b --dnat-target CONTINUE
/usr/local/sbin/ebtables -t nat -A PREROUTING -i eth0 -p ipv4 -j redirect --redirect-target ACCEPT
/usr/local/sbin/ebtables -t broute -F
#/usr/local/sbin/ebtables -t broute -A BROUTING -i eth0 -p arp --arp-ip-dst 85.185.16.144/28 -j ACCEPT
/usr/local/sbin/ebtables -t broute -A BROUTING -i eth0 -p ipv4 -d broadcast --ip-dst 85.185.16.144/28 -j ACCEPT
/usr/local/sbin/ebtables -t broute -A BROUTING -i eth0 -j DROP
brctl addbr br0
brctl addif br0 eth0
ifconfig br0 up
#!/bin/bash
PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
ebtables -t broute -F
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-source 217.218.228.239 -j ACCEPT
ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-destination 217.218.228.239 -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -j DROP
ebtables -t nat -F
ebtables -t nat -A POSTROUTING -o eth0 -p ipv4 --ip-source 217.218.228.239 -j snat --to-source ff:ff:ff:ff:ff:ff --snat-target DROP
brctl addbr br0 &> /dev/null
brctl addif br0 eth0 &> /dev/null
brctl addif br0 eth1 &> /dev/null
ifconfig br0 up
#!/bin/bash
PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
INETSIDE="eth0"
USERSIDE="eth1"
NETWORK="27.162.179.134"
ebtables -t broute -F
ebtables -t broute -A BROUTING -i $INETSIDE -p arp --arp-ip-dst $NETWORK -j ACCEPT
ebtables -t broute -A BROUTING -i $USERSIDE -p arp --arp-ip-src $NETWORK -j ACCEPT
ebtables -t broute -A BROUTING -i $INETSIDE -p ipv4 --ip-destination $NETWORK -j ACCEPT
ebtables -t broute -A BROUTING -i $USERSIDE -p ipv4 --ip-source $NETWORK -j ACCEPT
ebtables -t broute -A BROUTING -j DROP
brctl addbr br0 &> /dev/null
brctl addif br0 $INETSIDE &> /dev/null
brctl addif br0 $USERSIDE &> /dev/null
ifconfig br0 up
#!/bin/bash
PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
ebtables -t nat -F
ebtables -t nat -A PREROUTING -i eth0 -j dnat --to-destination 00:18:f3:1f:57:f4 --dnat-target CONTINUE
ebtables -t nat -A PREROUTING -i eth0 -p ipv4 -j redirect --redirect-target ACCEPT
ebtables -t broute -F
ebtables -t broute -A BROUTING -i eth0 -p ipv4 -d broadcast -j DROP
ebtables -t broute -A BROUTING -i eth0 -p ipv4 -d ! 00:18:f3:1f:57:f4 -j ACCEPT
ebtables -t broute -A BROUTING -i eth0 -j DROP
brctl addbr br0
brctl addif br0 eth0
ifconfig br0 up
#!/bin/bash
INETSIDE="eth0"
USERSIDE="eth1"
# Create bridge
brctl addbr br0 &> /dev/null
brctl addif br0 $INETSIDE &> /dev/null
brctl addif br0 $USERSIDE &> /dev/null
ifconfig br0 up
# Flush previous rules
ebtables -t broute -F BROUTING
# Policy
ebtables -t broute -A BROUTING -i $INETSIDE -j DROP
ebtables -t broute -A BROUTING -i $USERSIDE -j DROP
# Outgoing
ebtables -t broute -I BROUTING -i $USERSIDE -p arp --arp-ip-src 27.162.160.252 -j ACCEPT
ebtables -t broute -I BROUTING -i $USERSIDE -p ip --ip-src 27.162.160.252 -j ACCEPT
# Incoming
ebtables -t broute -I BROUTING -i $INETSIDE -p arp --arp-ip-dst 27.162.160.252 -j ACCEPT
ebtables -t broute -I BROUTING -i $INETSIDE -p ip --ip-dst 27.162.160.252 -j ACCEPT
ebtables -t filter -L --Lc
brctl showstp br0
tc class show dev eth0 ; tc class show dev eth1
tc filter show dev eth0 ; tc filter show dev eth1
tc -s class ls dev eth0 ; tc -s class ls dev eth1
BY: Pejman Moghadam
TAG: ebtables, broute, epkg
DATE: 2013-01-23 12:45:38