Yes, your tip was the clue.

Glad you got it. It is what I was saying in my pseudo code earlier on about flushing first.

OK, i got it!

First rule must be a flush of all rules:

cat /etc/clearos/firewall.d/local

# This script is run after every firewall restart.  Add custom rules here.

# Ensure you use $IPTABLES instead of calling iptables directly if you wish

# to avoid xtable locking problems.

ebtables -F

ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -p IPV4 -j DROP

ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -p IPV4 -j DROP

ebtables -L

Bridge table: filter



Bridge chain: INPUT, entries: 0, policy: ACCEPT



Bridge chain: FORWARD, entries: 2, policy: ACCEPT

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 



Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Thank you very much, Nick

This is the content of my /etc/clearos/firewall.d/local:

# This script is run after every firewall restart.  Add custom rules here.

# Ensure you use $IPTABLES instead of calling iptables directly if you wish

# to avoid xtable locking problems.

ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -p IPV4 -j DROP

ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -p IPV4 -j DROP

And the output of execute ebtables -L:

ebtables -L

Bridge table: filter



Bridge chain: INPUT, entries: 0, policy: ACCEPT



Bridge chain: FORWARD, entries: 6, policy: ACCEPT

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 



Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Thanks for your answer. I made the echoes to have a clear view of what I'm doing. I edit the file with vi and make this steps:

1.- flush all ebtables rules (ebtables -F)
2.- edit /etc/clearos/firewall.d/local and add a single rule in FORWARD chain

At this step the output of ebtables -L show only the single rule I put in the local file

3.- edit againt the local file and add a second rule

Then ebtables -L show more than the two rules I added in the local file, the same rules duplicated like more than one process read the local file.

If I repeat the step to add one more rule the output will evolve more complicated.

regards,

Miguel

I don't understand what your dump is telling me and it looks like you are echoing the commands into /etc/clearos/firewall.d/local multiple times. Can you open /etc/clearos/firewall.d/local in an editor and see what is in it and post it back here? If you use Windoze, Can I suggest you try something like WinSCP and its editor.


The sort of things I'd expect in in the file would be:

Flush all chains (i.e. clear ebtables)
add chain 1
add chain 2
add chain n
add rule 1
add rule 2
add rule n

Alternatively you could have a single line calling an external script which does the same.

Hello Nick, I try to put two rules in /etc/clearos/firewall.d/local and it doesn't work right because create duplicated lines in ebtables list:

# ebtables -F

# ebtables -L



Bridge table: filter



Bridge chain: INPUT, entries: 0, policy: ACCEPT



Bridge chain: FORWARD, entries: 0, policy: ACCEPT



Bridge chain: OUTPUT, entries: 0, policy: ACCEPT



# cat /etc/clearos/firewall.d/local 

# This script is run after every firewall restart.  Add custom rules here.

# Ensure you use $IPTABLES instead of calling iptables directly if you wish

# to avoid xtable locking problems.



# echo "ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -p IPV4 -j DROP" >> /etc/clearos/firewall.d/local 

# ebtables -L

Bridge table: filter



Bridge chain: INPUT, entries: 0, policy: ACCEPT



Bridge chain: FORWARD, entries: 2, policy: ACCEPT

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 



Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

# echo "ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -p IPV4 -j DROP" >> /etc/clearos/firewall.d/local 

# ebtables -L

Bridge table: filter



Bridge chain: INPUT, entries: 0, policy: ACCEPT



Bridge chain: FORWARD, entries: 4, policy: ACCEPT

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 



Bridge chain: OUTPUT, entries: 0, policy: ACCEPT



ebtables -L

Bridge table: filter



Bridge chain: INPUT, entries: 0, policy: ACCEPT



Bridge chain: FORWARD, entries: 6, policy: ACCEPT

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 

-p IPv4 --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -j DROP 



Bridge chain: OUTPUT, entries: 0, policy: ACCEPT



cat /etc/clearos/firewall.d/local 

# This script is run after every firewall restart.  Add custom rules here.

# Ensure you use $IPTABLES instead of calling iptables directly if you wish

# to avoid xtable locking problems.

ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.11 -p IPV4 -j DROP

ebtables -I FORWARD --ip-src 10.230.255.0/24 --ip-dst 10.70.170.12 -p IPV4 -j DROP

I will update the system and try again...

Thanks you!

Miguel.

OK, I think I've not explained how it works. Anything in /etc/clearos/firewall.d/local will be executed each time the firewall reloads. Generally this is used to add iptables rules, but in reality it will execute any command. This makes it a good place to add ebtables rules as if you are adding them from the command line. Remember your first command may be to reset the ebtables rules as it may otherwise duplicate them. Also note there seems to be some sort of service watcher on this file so if it detects a change, the whole firewall will automatically reload.

Good morning Nick, thanks for your answer.

The problem is that all traffic pass through the same rule. Look at my "iptables -L INPUT -n -v --line-number" and you can see all packets match with the line 10:

iptables -t filter -L -n -v --line-number
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 10.70.170.11
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
3 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
4 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
5 0 0 DROP all -- enp4s0 * 127.0.0.0/8 0.0.0.0/0
6 0 0 DROP all -- enp4s0 * 169.254.0.0/16 0.0.0.0/0
7 143 17034 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
8 0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
9 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
10 177 24043 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
11 0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
12 0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
13 0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
14 0 0 ACCEPT icmp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
15 0 0 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
16 0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
17 0 0 ACCEPT udp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
18 0 0 ACCEPT tcp -- enp4s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 143 17034 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT all -- * pptp+ 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
4 3233 373K ACCEPT all -- * br0 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT icmp -- * enp4s0 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT udp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
7 0 0 ACCEPT tcp -- * enp4s0 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
8 0 0 ACCEPT all -- * enp4s0 0.0.0.0/0 0.0.0.0/0

Chain DROP-lan (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

I inserted a new rule in line 1 to force all traffic to host 10.70.170.11 but there aren't any packet passing through this new rule. The only way is to create an ebtable rule.

You have any idea?

Regards,

Miguel.

Hi Miguel,

Welcome to the site. I am deleting your other post. New forum members have their first couple of posts moderated so they can't see them immediately and double-posting happens.

I know nothing about ebtables, but if you want rules to fire automatically on every firewall restart, you can put them in /etc/clearos/firewall.d/local. There is no GUI in ClearOS for ebtables.

Nick