Search code examples
linuxnetwork-programmingebtables

Linux: Port Isolation on a Bridge to use OLSR correctly


On a router running OLSR there are four ports/interfaces where connected devices talk OLSR to each other. Now i dont like to use an IP address for each interface but instead bridge them all and set just one IP address on the bridge.

The problem now is, those devices should NOT see each other on layer2, else olsr routing changes the wrong way (because of the bridge). Those devices should be routed on layer3 by OLSR only. Ok, so there is an option to use ebtables...

I've already read this post, but it's not exactly what im looking for. So im trying to figure out how to allow each connected device talk OLSR to the router while deny all connected devices to see each other on layer2.

# deny talking to each other
ebtables -P FORWARD DROP
ebtables -F FORWARD

works well, but then the router itself does not see any connected device, so i guess i need to allow the interfaces to talk to the router itself.

# allow port eth1
ebtables -F FORWARD -i eth1 -j ACCEPT
ebtables -F FORWARD -o eth1 -j ACCEPT

but this allows too much, the effect is the same like setting the policy back to accept.

how should i set the ebtables rules to make this work the right way?


Solution

  • its as simple as to put all ports into a bridge br0 and then:

    ebtables -P FORWARD DROP
    ip link set br0 promisc on
    

    (works as expected on an ubnt edgerouter, but was also tested on a linux box before, so should work there too)