ebtables logo

ebtables - sourceforge page - downloads - browse cvs - bridge - netfilter

Free firewall software distributed under GNU General Public License

Start
About
Downloads
Documentation
Examples
Contact
What is ebtables?

The ebtables utility enables basic Ethernet frame filtering on a Linux bridge, logging, MAC NAT and brouting. It only provides basic IP filtering, the full-fledged IP filtering on a Linux bridge is done with iptables. The so-called bridge-nf code makes iptables see the bridged IP packets and enables transparent IP NAT. The firewalling tools iptables and ebtables can be used together and are complementary. ebtables tries to provide the bridge firewalling that iptables cannot provide, namely the filtering of non-IP traffic.

Main features:
  • Usage analogous to iptables.
  • Ethernet filtering.
  • MAC NAT: ability to alter the MAC Ethernet source and destination address. This can be useful in some very strange setups (a real-life example is available).
  • Brouting: decide which traffic to bridge between two interfaces and which traffic to route between the same two interfaces. The two interfaces belong to a logical bridge device but have their own IP address and can belong to a different subnet.
  • Pass packets to userspace programs, using netlink sockets (the ulog watcher).
What can ebtables do?
  • Ethernet protocol filtering.
  • MAC address filtering.
  • Simple IP header filtering.
  • ARP header filtering.
  • 802.1Q VLAN filtering.
  • In/Out interface filtering (logical and physical device).
  • MAC address nat.
  • Logging.
  • Frame counters.
  • Ability to add, delete and insert rules; flush chains; zero counters.
  • Brouter facility.
  • Ability to atomically load a complete table, containing the rules you made, into the kernel. See the man page and the examples section.
  • Support for user defined chains.
  • Support for marking frames and matching marked frames.
What exactly does the bridge-nf code enable?
  • {Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN header.
  • All filtering, logging and NAT features of the 3 tools can therefore be used on bridged frames.
  • Combined with ebtables, the bridge-nf code therefore makes Linux a very powerful transparent firewall.
  • This enables, f.e., the creation of a transparent masquerading machine (i.e. all local hosts think they are directly connected to the Internet).
  • Letting {ip,ip6,arp}tables see bridged traffic can be disabled using the appropriate proc entries, located in /proc/sys/net/bridge/. Also, letting the aforementioned firewall tools see 802.1Q VLAN encapsulated packets can be disabled with such a proc entry.
What can't ebtables do?
  • Full-fledged IPv4/IPv6/ARP filtering (use iptables/ip6tables/arptables).
  • Filter higher layer protocols over 802.3 Ethernet, f.e. filtering on ARP packets in a 802.3 Ethernet frame. {Ip,Ip6,Arp}tables currently won't filter IPv4/IPv6/ARP traffic over 802.3 Ethernet frames either.
  • Probably lots of things I'm forgetting.
Documents:
Todo:
  • Support protocol-independent matches (xtables). Status: currently being worked on.
  • Let iptables/ip6tables/arptables see 802.2/802.3 encapsulated IPv4/IPv6/ARP packets.
  • Support IMQ - intermediate queueing device, in an anologous fashion as it is implemented for iptables (see the corresponding homepage).
  • Add arptables LOG target.
  • Add QUEUE target.
  • Dynamic mac nat.
  • Vlan header mangling target.
  • Anything else? Let us know...
Links:

Last modified: Thursday, 30-Aug-2007 09:28:36 PDT.

Valid XHTML 1.0 Transitional