Jump to content

IPTables on Bridge


Terrag
 Share

Recommended Posts

I am trying to use NETMODE TRANSPARENT with a WiFi adapter to facilitate external access into a network. The problem I am having is that I can't use iptables rules with the bridge.

I have researched that I need to enable bridge firewalling in /etc/sysctl.conf:

net.bridge.bridge-nf-call-iptables=1

And then run sysctl -p to update. I get the following error:

sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

It seems that there are kernel modules missing, such as br_netfilter, to allow this to work. How would I go about getting this kernel module?

 

Also, any time I try to use OPKG to install a kernel module it has a old kernel dependency:

root@squirrel:~# opkg install kmod-ebtables
Installing kmod-ebtables (3.18.23-1) to root...
Downloading http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/base/kmod-ebtables_3.18.23-1_ar71xx.ipk.
Multiple packages (kmod-ipt-core and kmod-ipt-core) providing same name marked HOLD or PREFER. Using latest.
Collected errors:* satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-ebtables:*     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) *     kernel (= 3.18.23-1-b2f200610f46d20ef52d269421369d0c) ** opkg_install_cmd: Cannot install package kmod-ebtables

 

Any help is much appreciated.

Link to comment
Share on other sites

  • 11 months later...
4 hours ago, JDL said:

Did you ever solve this? Having a similar problem on 3.1 firmware. Seems like I can not install any useful software from OPKG.

I was able to get it working by building a custom kernel. It was a huge pain and didn't really give me a good solution as a network tap that can modify packets. So I abandoned the PacketSquirrel project for a Grapeboard. It has two 1Gb NICs and runs Ubuntu so it fit my needs better. It is more expensive but works beautifully for what I need.

 

https://www.grapeboard.com/

Link to comment
Share on other sites

5 hours ago, Terrag said:

I was able to get it working by building a custom kernel. It was a huge pain and didn't really give me a good solution as a network tap that can modify packets. So I abandoned the PacketSquirrel project for a Grapeboard. It has two 1Gb NICs and runs Ubuntu so it fit my needs better. It is more expensive but works beautifully for what I need.

 

https://www.grapeboard.com/

Sorry to hear that. I am familiar with the Grapeboard, but it is over $200USD, plus a case, and is much larger/ pulls more power. I have a couple other SBCs that are in this ballpark, with the EspressoBIN being the go-to for a bigger option. 

 

While I am impressed by the @Hak5 hardware, the software support and stability is lacking across the product line.  

Link to comment
Share on other sites

The EspressoBIN looks nice. I was in a hurry to get a solution together when I found the GrapeBoards. Probably would have given the EspressoBIN a shot if I found them.

 

I completely agree with your statement on the software support and stability.

Link to comment
Share on other sites

11 hours ago, JDL said:

Did you ever solve this? Having a similar problem on 3.1 firmware. Seems like I can not install any useful software from OPKG.

What software specifically? If it's not available in the OpenWRT repositories, then I can look into building the package for you.

Link to comment
Share on other sites

In this case it is the ability to install packages that seem to be available in the OpenWRT repositories, specifically ebtables and arptables.  I am working on porting the principles of the 802.1x bypass capabilities here: nac_bypass as a payload for the squirrel. With the move to a  kernel version above 3.2 it is possible to change the group_fwd_mask on the bridge (easily) to forward EAP packets. This brings a very important new capability to the squirrel, if we can get ebtables and arptables installed.  

Link to comment
Share on other sites

I remember trying to solve this problems a long time ago on a linux desktop that was in a bridged network. I was able to fix my problem with eliminating the bridge, and adding FORWARD ing rules as well as adding in masquerading rules in the POSTROUTING table. 

I know it's not the solution you were looking for though, 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...