初识ebtables

分类： Linux网络编程 2010-09-14 15:02 263人阅读评论(0) 收藏举报

1.What is ebtables?

The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.

The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.

Ebtables即是以太网桥防火墙，以太网桥工作在数据链路层，Ebtables来过滤数据链路层数据包。 2.6内核内置了Ebtables，要使用它必须先安装Ebtables的用户空间工具（ebtables-v2.0.6），安装完成后就可以使用ebtables来过滤网桥的数据包。参照用户实际要求，设置ebtables规则如下：

    1:对所有的数据包默认通过
    2:分清楚源地址和目的地址和源端口和目的端口
    3:对TCP,UDPP数据包分别过滤

2. Main features of ebtables.

Usage analogous to iptables.

Ethernet filtering.

MAC NAT: ability to alter the MAC Ethernet source and destination address. This can be useful in some very strange setups (a real-life example is available).

Brouting: decide which traffic to bridge between two interfaces and which traffic to route between the same two interfaces. The two interfaces belong to a logical bridge device but have their own IP address and can belong to a different subnet.

Pass packets to userspace programs, using netlink sockets (the ulog watcher).

3.What is bridge-netfilter?

The bridge-netfilter code enables the following functionality:

{Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.
All filtering, logging and NAT features of the 3 tools can therefore be used on bridged frames.
Combined with ebtables, the bridge-nf code therefore makes Linux a very powerful transparent firewall.
This enables, f.e., the creation of a transparent masquerading machine (i.e. all local hosts think they are directly connected to the Internet).
Letting {ip,ip6,arp}tables see bridged traffic can be disabled or enabled using the appropriate proc entries, located in /proc/sys/net/bridge/:
- bridge-nf-call-arptables
- bridge-nf-call-iptables
- bridge-nf-call-ip6tables
Also, letting the aforementioned firewall tools see bridged 802.1Q VLAN and PPPoE encapsulated packets can be disabled or enabled with a proc entry in the same directory:
- bridge-nf-filter-vlan-tagged
- bridge-nf-filter-pppoe-tagged
These proc entries are just regular files. Writing '1' to the file (echo 1 > file) enables the specific functionality, while writing a '0' to the file disables it.

4. How to config on ebtables and do ebtables work?

Ebtables使用规则如下：

ebtables [-t table] -[ADI] chain rule-specification [match-extensions] [watcher-extensions]

-t table :一般为FORWARD链。

－ADI：A添加到现有链的末尾；D删除规则链（必须指明规则链号）；I插入新的规则链（必须指明规则链号）。

-P:规则表的默认规则的设置。可以DROP,ACCEPT,RETURN。

-F:对所有的规则表的规则链清空。

-L:指明规则表。可加参数，--Lc,--Ln

-p:指明使用的协议类型，ipv4,arp等可选（使用时必选）详情见/etc/ethertypes

--ip-proto:IP包的类型，1为ICMP包，6为TCP包，17为UDP包，在/etc/protocols下有详细说明

--ip-src:IP包的源地址

--ip-dst:IP包的目的地址

--ip-sport:IP包的源端口

--ip-dport:IP包的目的端口

-i:指明从那片网卡进入

-o:指明从那片网卡出去

/***********************************************************************************/

简单配置规则如下：

#!/bin/bash

echo "The ebtables start !"

ebtables -P FORWARD ACCEPT

ebtables -P INPUT ACCEPT

ebtables -P OUTPUT ACCEPT

ebtables -F

ebtables -A FORWARD -p ipv4 -i eth0/eth1 --ip-proto (6/17) --ip-dst(目的IP) --ip-dport(目的端口) -j DROP

ebtables -A FPRWARD -p ipv4 -i eth0/eth1 --ip-proto (7/17) --ip-src(源IP) --ip-sport(源端口) -j

DROP

reference: http://ebtables.sourceforge.net/

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。