Will do tomorrow, the box isnt online right now. So am I to assume the bridge firewall patch is already in the Fedora kernel? Ive been looking the the kernel src.rpm and havent seen it yet. Again, I do have bridging working, its just that iptables is not working with the bridge interface ...
The bridging firewall worked with the stock RH 7.2 kernel, so I assume it's still ok ;-)
Don't forget you have 3 interfaces when running a bridge. There's eth0 and eth1 for bridging the ethernet, and the bridge interface itself (in your case br0) for communicating with the host acting as the bridge. You don't want to forget to setup INPUT/OUTPUT rules for br0 or the firewall device is wide open to attack.
INPUT rules apply to packets entering br0, OUTPUT rules apply to packets leaving br0 and FORWARD rules apply to packets traversing the bridge from eth0->eth1 and eth1->eth0.
As to your original rules:
>> iptables -A FORWARD --in-interface eth0 --out-interface eth1 -j ACCEPT
this will accept any packet being forwarded from eth0 to eth1 regardless (I hope eth0 is your internal interface).
>> iptables -A FORWARD --in-interface eth1 --out-interface eth0 -p tcp -s 10.0.0.1 -d 192.168.1.5 -j DROP
this will drop any packet inbound from 10.0.0.1 to 192.168.1.5.
Finally,
>> iptables -A FORWARD --in-interface eth0 --out-interface eth1 -d \! 192.168.1.5 -j REJECT
I think will reject any outbound packet not destined for 192.168.1.5 (I'm not sure what the effect of the ! following a \ will be), but you already accept all packets from eth0->eth1 above so this has no effect. Also, from the second rule it appears 192.168.1.5 is on the internal network so it doesn't make any sense to me unless you are trying to keep packets destined for this host which originate on the eth0 segment from appearing on the eth1 segment.
-- Nigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : nmw@xxxxxxxxxxxx Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
