i know that all clients connected to one switch the rules are not applied to they because the traffic does not become through of router.

but in the Wifi Clients it is different  because they do not communicate one with another one the traffic must happen through of router although they be part  of the same ip rank .

I want to reject some port between several clients, using iptables.

My Question IS ... how i Use Iptables to Filter Br0 .... ?

You have to use ebtables, you can get it with "ipkg install ebtables".

(Last edited by haye on 12 Mar 2007, 11:11)

I have many question :

1: Why i can't do it with iptables ....

2: Why with Sveasoft Firmware i can

3: Why i have to use ebtables and not iptables ?

4: Why when  i write  ebtables -L in my router i get that The kernel doesn't support the ebtables 'filter' table.

Any body can tell me how i filter with ebtables ?

Thanks

1: & 3: Because the traffic doesn't reach the iptables filters at all, I'm sure it is passed out of the interface immediately because the router itself is not the destination, nor is another routed interface. Why should the kernel pass it towards the iptables filters then?

2: I don't know what Sveasoft has changed that it works with iptables.

4: Are the needed modules loaded? Have a look at lsmod and load them via modprobe if necessary.

Have a look here, there are links to several articles concerning ebtables / brigded firewall:
http://ebtables.sourceforge.net/documentation.html#docs

I did only a few tests with ebtables, but it did for me what you want to achieve, filter traffic on br0. Maybe it's suitable for you to disallow all client traffic by setting wl0_ap_isolate:
http://wiki.openwrt.org/OpenWrtNVRAM#he … 3ea24eb044

Contrary to what most people think, you can filter bridge traffic using iptables, I think it's accomplished by a bridge patch for 2.4 kernel ( if I am not mistaken, it's contained in the same patch for the kernel ebtables support ). For a newer 2.6 kernel, that's a matter of turning on certain kernel configs.

Cheers.

Contrary to what most people think, you can filter bridge traffic using iptables, I think it's accomplished by a bridge patch for 2.4 kernel ( if I am not mistaken, it's contained in the same patch for the kernel ebtables support ). For a newer 2.6 kernel, that's a matter of turning on certain kernel configs.

Cheers.

You are on right
Exactly

I can use iptables to filter the bridge  patching  the kernel with bridge-nf patch :

Bridge-nf:
The bridge-netfilter patch  is maintained by Lennert Buytenhek. This
patch extends the already built in bridging functionality of the Linux kernel.
The packets forwarded by the bridge are now passed through the Linux
Netfilter tables and chains.

and I confirm that Sveasoft Firmware use the bridge-nf patch .....

Some Dev can include the bridge-nf patch for kernel 2.4 i know that  this feature is included in kernel 2.6

I want to patch my OpenWRT with this Anyone can Help me  ?

Just the act of loading the ebtables module without even applying any rules reduces the throughput. As such, I really don't want to apply this patch you're asking about.

Why you  really don't want to apply this patch ?

I really don;t want to use ebtables to filter the bridge if i can use iptables to do it

... how can I Patch my kernel with this  bridge-nf patch ?

I can concur this observation. I have a case where I have a few ebtables rules and a few iptables rules too on a Asus WL500gx, the ping time changed from a few millisecond to a few hundred milliseconds. I did not pursue it to a level where I could have any conclusion but it might be the bridge is throwing up too many packets to iptables rules ( FORWARD ?). After I changed the rules a bit, it improves significantly but nevertheless the throughput is not as good as without ebtables modules.

Cheers.

obtain a cross compiling toolchain matching the one used by whiterussian, for example from the sdk available for download on the site. if you have the entire buildroot for whiterussian you can put patches directly into the build process by putting them in the approprate patches/ folder, and edit the config if needed. otherwise, download the kernel, apply the openwrt patches, apply your patch, and compile it using the sdk (this really isn't hard to do, it's fairly straightforward imo)

Why Happen this  ?

exists any way to patch the kernel without using sdk ,,, i means patch directly from inside of router with the firmware running .... ?

I don't know which Openwrt I used, there is no need to patch the kernel ( it is already patched ? ). All I need is loading the kernel module :-

eg,

insmod /lib/modules/2.4.30/ebtables
insmod /lib/modules/2.4.30/ebtable_filter
insmod /lib/modules/2.4.30/ebt_ip
insmod /lib/modules/2.4.30/ebtable_broute

Cheers.

I mean use iptables to filter the bridge patching  the kernel with bridge-nf patch

ebtables include bridge-nf patch  ?

(Last edited by yamilselman on 14 Mar 2007, 08:29)