IPTables on Bridge

[Terrag]

I am trying to use NETMODE TRANSPARENT with a WiFi adapter to facilitate external access into a network. The problem I am having is that I can't use iptables rules with the bridge.

I have researched that I need to enable bridge firewalling in /etc/sysctl.conf:

net.bridge.bridge-nf-call-iptables=1

And then run sysctl -p to update. I get the following error:

sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

It seems that there are kernel modules missing, such as br_netfilter, to allow this to work. How would I go about getting this kernel module?

 

Also, any time I try to use OPKG to install a kernel module it has a old kernel dependency:

root@squirrel:~# opkg install kmod-ebtables
Installing kmod-ebtables (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-ebtables_3.18.23-1_ar71xx.ipk.
Multiple packages (kmod-ipt-core and kmod-ipt-core) providing same name marked HOLD or PREFER. Using latest.
Collected errors:* satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-ebtables:*     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) ** opkg_install_cmd: Cannot install package kmod-ebtables

 

Any help is much appreciated.

[JDL]

Did you ever solve this? Having a similar problem on 3.1 firmware. Seems like I can not install any useful software from OPKG.

[Terrag]

4 hours ago, JDL said:

Did you ever solve this? Having a similar problem on 3.1 firmware. Seems like I can not install any useful software from OPKG.

I was able to get it working by building a custom kernel. It was a huge pain and didn't really give me a good solution as a network tap that can modify packets. So I abandoned the PacketSquirrel project for a Grapeboard. It has two 1Gb NICs and runs Ubuntu so it fit my needs better. It is more expensive but works beautifully for what I need.

 

https://www.grapeboard.com/

[JDL]

5 hours ago, Terrag said:

I was able to get it working by building a custom kernel. It was a huge pain and didn't really give me a good solution as a network tap that can modify packets. So I abandoned the PacketSquirrel project for a Grapeboard. It has two 1Gb NICs and runs Ubuntu so it fit my needs better. It is more expensive but works beautifully for what I need.

 

https://www.grapeboard.com/

Sorry to hear that. I am familiar with the Grapeboard, but it is over $200USD, plus a case, and is much larger/ pulls more power. I have a couple other SBCs that are in this ballpark, with the EspressoBIN being the go-to for a bigger option. 

 

While I am impressed by the @Hak5 hardware, the software support and stability is lacking across the product line.  

[Terrag]

The EspressoBIN looks nice. I was in a hurry to get a solution together when I found the GrapeBoards. Probably would have given the EspressoBIN a shot if I found them.

 

I completely agree with your statement on the software support and stability.

[Foxtrot]

11 hours ago, JDL said:

Did you ever solve this? Having a similar problem on 3.1 firmware. Seems like I can not install any useful software from OPKG.

What software specifically? If it's not available in the OpenWRT repositories, then I can look into building the package for you.

[JDL]

In this case it is the ability to install packages that seem to be available in the OpenWRT repositories, specifically ebtables and arptables.  I am working on porting the principles of the 802.1x bypass capabilities here: nac_bypass as a payload for the squirrel. With the move to a  kernel version above 3.2 it is possible to change the group_fwd_mask on the bridge (easily) to forward EAP packets. This brings a very important new capability to the squirrel, if we can get ebtables and arptables installed.