Isn't there *any* HOWTO on doing this? Invisible firewalling like this seems, on the face of it, a neat and simple drop in to an existing network, but the routing is a nightmare.
Ok, I've finally found a solution. It's with Lennert Buytenhek's Bridge+Firewall code (see http://bridge.sourceforge.net/ for more info) applying the bridge+firewall patches to a stock 2.2.19 kernel. All the traffic for our lab now goes through a knackered old P100 with two NICs, one to outside, one to our primary hub. The birdge currently has an ip which is great for setting it up via ssh, but once it's settled that will be disabled and it will become all but totally transparent to the network. First get the bridging to work (there's a good HOWTO for this at http://www.bnhof.de/~uwe/bridge-stp-howto/BRIDGE-STP-HOWTO/ ). Then following the instructions there about bridging+ipchains you can set up ipchains filters. It's not quite as versatile as normal firewalling but it certainly does the job for most things. There is also iptables support which is even better although it's not as tested yet and I couldn't get it to work. Here's an example ipchains script (definitely not real world but shows what's going on, the rules are a bit different for the bridging firewall as opposed to a standard one it seems to me): ----------- #!/bin/bash ipchains -F ipchains -X ipchains -Z ipchains -N br0 # create chain with same name as the bridge device # ingress rules ipchains -N Iall ipchains -A Iall -p tcp -d 138.253.x.x 80 -j ACCEPT # allow http traffic to a machine ipchains -A Iall -p tcp -d 138.253.x.0/24 22 -j ACCEPT # allow ssh in to anything on our subnet ipchains -A Iall -p tcp ! -y -j ACCEPT # allow data for established connections ipchains -A Iall -p tcp -j DENY -l # deny and log the rest # egress rules ipchains -N Oall ipchains -A Oall -p tcp -s 138.253.148.0/24 -d 0.0.0.0/0 23 -j ACCEPT # allow internal machines to telnet out ipchains -A Oall -p tcp ! -y -j ACCEPT # allow data for established connections ipchains -A Oall -p tcp -j DENY -l # deny and log the rest # main bridge chain ipchains -A br0 -i eth1 -j Iall # jump to Iall chain for incoming ipchains -A br0 -i eth0 -j Oall # jump to Oall chain for outgoing ----------- I hope this might be of use to anyone else in a similar situation. Many thanks for the replies both on and off the list, it's been highly educational. JB -- John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University "Everybody relax, I'm here." -- Jack Burton