Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:bridge [2023/09/17 17:31] – [Command-line instructions] vgaeteradocs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera
Line 11: Line 11:
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
 +Assuming a setup with bridged LAN and WAN interfaces.
 Install the required packages. Install the required packages.
-Set up [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] and [[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]]. +Enable bridge firewall intercepting DNS queries and filtering transit traffic from ''eth0'' to ''eth1''.
-Enable bridge firewall intercepting DNS queries.+
  
 <code bash> <code bash>
Line 31: Line 31:
 nft flush table bridge filter nft flush table bridge filter
 nft add chain bridge filter prerouting \ nft add chain bridge filter prerouting \
-{ type filter hook prerouting priority 0\; } +{ type filter hook prerouting priority dstnat\; } 
-nft add rule bridge filter prerouting tcp dport 53 meta pkttype +nft add rule bridge filter prerouting meta \ 
-set host ether daddr set "${NET_MAC}" comment "Intercept-DNS" +l4proto tcp, udp th dport 53 pkttype set host 
-nft add rule bridge filter prerouting udp dport 53 meta pkttype \ +ether daddr set "${NET_MAC}" comment "Intercept-DNS"
-set host ether daddr set "${NET_MAC}" comment "Intercept-DNS"+
 nft add chain bridge filter forward \ nft add chain bridge filter forward \
-{ type filter hook forward priority 0\; } +{ type filter hook forward priority filter\; } 
-nft add rule bridge filter forward +nft add rule bridge filter forward iifname "eth0" 
-iif "eth0" oif "eth1" drop comment "Filter-eth0-eth1"+oifname "eth1" drop comment "Deny-eth0-eth1"
 EOF EOF
 uci -q delete firewall.bridge uci -q delete firewall.bridge
Line 45: Line 44:
 uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" uci set firewall.bridge.path="/etc/nftables.d/bridge.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
 +
 +Set up [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] and [[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]].
  
 ===== Testing ===== ===== Testing =====
-Use [[man>nslookup(1)|nslookup]] on LAN clients to verify the firewall configuration.+Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]], [[man>ping6(1)|ping6]] on LAN clients to verify the firewall configuration.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 56: Line 57:
 <code bash> <code bash>
 # Log and status # Log and status
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
Line 65: Line 66:
 uci show firewall uci show firewall
 </code> </code>
 +
 +===== Extras =====
 +==== References ====
 +  * [[https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering|nftables wiki: Bridge filtering]]
 +  * [[https://netdevconf.info//1.1/proceedings/papers/Bridge-filter-with-nftables.pdf|NetDev: Bridge filtering with nftables]]
  
  • Last modified: 2024/11/01 16:42
  • by vgaetera