1

I have a bridge with all hosts from the 192.168.5.0/24 network connected to it.They all connect to this bridge via a secondary interface eth1.
I have a router which connects this bridge to others on my network via 192.168.5.1
On my router I am able to filter all traffic going to and from this network to others with iptables but I am unable to filter any traffic between hosts on the same network (192.168.5.0)
I believe this is because if for instance 192.168.5.2 were to ping 192.168.5.3 the traffic goes straight to the bridge without passing through my router gateway 192.168.5.1
Is it possible to force all traffic for the same subnet to go to the router first?
The following is an extract from my static routes:

default         192.168.3.1     0.0.0.0         UG    0      0        0 eth0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0
192.168.5.0     *               255.255.255.0   U     0      0        0 eth1

And the following are extracts from my ifcfg-ethx files (CentOS):

DEVICE="eth0"
BOOTPROTO="static"
BROADCAST="192.168.3.255"
GATEWAY="192.168.3.1"
IPADDR="192.168.3.2"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"

DEVICE="eth1"
BOOTPROTO="static"
BROADCAST="192.168.5.255"
IPADDR="192.168.5.2"
NETMASK="255.255.255.0"
NM_CONTROLLED="yes"
ONBOOT="yes"
TYPE="Ethernet"

If I am not mistaken the way to go is to edit my static routes specifically the last line of the snippet above to specify the gateway 192.168.5.1 for the 192.168.5.0/24 network.
I have tried adding GATEWAY="192.168.5.1" to ifcfg-eth1 which creates a routing table with this interface as default. How can I maintain 3.1 as the main gateway but also force all traffic from the 192.168.5.0/24 address space to go through 192.168.5.1?

user2284355
  • 455
  • 2
  • 10
  • 24
  • Can you shed a little more light on what you're trying to achieve? Subnetting is how you would normally do as you describe. If your reason has anything to do with 'security' and you still wish to use a single subnet then you're doing it wrong. –  Apr 16 '14 at 22:04
  • @yoonix The secondary interface allows servers on 192.168.5.0 to send syslog messages via 5.1 to another network via nat. I need all servers on 5.0 to only be able to communicate with 5.1 and not with eachother. – user2284355 Apr 16 '14 at 22:09
  • 1
    Then you need to subnet each into their own network. If you're concerned with host level security for each endpoint on a specific network, then you should be setting up a firewall on each host. –  Apr 16 '14 at 22:13
  • @yoonix what would the implications be of adding a route like so: route add -net 192.168.5.0 netmask 255.255.255.0 gw 192.168.5.1 dev eth1 and letting my main router do all the filtering? – user2284355 Apr 16 '14 at 22:25
  • If it were to allow that at all (which I don't think it will), you would be including 192.168.5.1 within that route. It's a catch-22. That's for it working at all. Let's say that did work however. All I would need to do is compromise any one server, or plug my own in to your network and talk to whatever I please. If you can change the local configuration of each host, why would you not just configure the firewall? It's the right way and would offer *more* security and flexibility. It sounds like you're trying to reinvent the wheel but insist that it be a perfect square. –  Apr 16 '14 at 22:31
  • 1
    You can't make local traffic transit the router. It's just not going to work. All hosts on the same subnet will ARP for each other and send the traffic directly to each other. The only traffic that will transit the router is non-local traffic. If you need all traffic between these hosts to transit the router then you're going to have to put them on different networks (subnets) and configure the router accordingly (router-on-a-stick). – joeqwerty Apr 17 '14 at 05:13
  • Thank you all for your comments. I now understand what I was trying to do made no sense. I am going to implement subnetting. – user2284355 Apr 17 '14 at 14:11

1 Answers1

1

Put some iptables rules on your bridge host. That's by far neater than trying to route traffic where it shouldn't go. Keep in mind that a host trying to reach a peer on the same network just doesn't care about routers. The source would issue an ARP request the figure out the Ethernet address of the target gift and send packets directly to it. Here directly means to you bridge host which then uses its ARP table to forward packet to the target. So here there is no concept of routing.

Maybe you could remove the natural route the kernel adds on hosts when configuring eth1, then adda specific route to your gateway on eth1 and then adding another route you the eth1 network (192.168.5.0/24) specifying your router as a gateway... But only this description should make you understand how crap it is.

Really, you should prefer using iptables on the bridge

alxgomz
  • 1,630
  • 1
  • 11
  • 14