Questions

  1. Intro
  2. Installation
  3. Usage
  4. Other

Answers

  1. Intro
    What is the ebtables?
    The ebtables project is the Linux 2.4.x Link Layer firewalling subsystem. It delivers for Linux the functionality of Ethernet frame filtering, all kinds of frame NAT (Network Address Translation) and frame matching. Currently ebtables is not a part of 2.4.x kernels, but now in the >=2.5.40 kernels.
    Why do I use it?
    Probably, to filter frames by MAC-address or frame type at Link Layer inside Your Linux-based Ethernet bridge.
    [Back to the top]
  2. Installation
    What should I do to know before ebtables installation?
    First step is to check what the kernel version will be used with ebtables. If the kernel version above than 2.5.39 was installed, then kernel sources need no to be patched by the ebtables_kernel and br-nf-bds patches. Go to Ethernet bridge tables and download br_nf_bds, ebtables_kernel and ebtables packages.
    What is the "ebtables_kernel" package and why should I use it?
    The ebtables_kernel package contains a patch against a Linux kernel. It allows filtering on the Link Layer (OSI Layer 2). Well know that iptables works on the Network Layer (OSI Layer 3) and on the upper layers. For a bridging firewall it is important to be able to filter on Link Layer as well. Copy patch file to the kernel source (usually it named /usr/src/linux or /usr/src/linux-2.X.YY) and execute 
    # cp ebtables-v2.0.003_vs_2.4.20.diff.gz /usr/src/linux
# gunzip ebtables-v2.0.003_vs_2.4.20.diff.gz 
# patch -p1 < ebtables-v2.0.003_vs_2.4.20.diff
    What is the "br-nf-bds" package and why should I use it?
    The br-nf-bds package contains a patch against Linux kernel that is already patched with the ebtables_kernel patch. It add ability of iptables usage on a bridge to make a bridging firewall. The big part of this patch was complete by Lennert Buytenhek. The bridge-nf code is automatically compiled into the patched kernel if the bridge and netfilter support is enabled. 
    # cp bridge-nf-0.0.10-against-2.4.20.diff.gz /usr/src/linux
# gunzip bridge-nf-0.0.10-against-2.4.20.diff.gz
# patch -p1 < bridge-nf-0.0.10-against-2.4.20.diff
    What is the "ebtables" package and why should I use it?
    The ebtables package contains the ebtables userspace tool. Namelly this ebtables binary is used to make filtering rules for the Linux-based Ethernet bridge. The rules is applied for bridged packets at Link Layer. The ebtables usage is very similar to the iptables, so it should not be so hard. Of course, there is a man page supplied. Just gunzip and untar the package and read the INSTALL file.
    # make
    Put ebtables binary to the superuser binaries directory (f.e. /usr/sbin) manually or 
    # make install
    [Back to the top]
  3. Usage
    Can I drop the ARP packets in linux bridge box using the ebtables?
    Yes, it's possible to filter the ARP packets (same as any other Ethernet frames) using linux bridge and ebtables together. According to the rule target, the frame can be dropped, accepted, passed to next rule, etc.
    See the ebtables manual page for details.
    Can I use ebtables with iptables? Is there any problems to use it together?
    Yes, it's possible to use ebtables with iptables. Detailed info about ebtables/iptables interaction is explained at the page "ebtables/iptables interaction on a Linux-based bridge"
    Can ebtables to do a frame accounting on my bridge?
    Yes, it's possible to view bridged frames and bytes count by 
    # ebtables -L --Lc

    [Back to the top]
  4. Other
    I'm not a Linux system programer, but I need a feature, which is not (yet) implemented in the ebtables. What should I do?
    Contact by email to ebtables developers directly or subscribe to the ebtables users mail list. Then post short and clean description of Your wanted feature to mail list.
    I'm Linux system programmer and I can do any ebtables feature by myself. What I should begin in that case?
    Subscribe to the ebtables developers mail list. Learn the "Ebtables Hacking HOWTO". Create Your account at SourceForge.net (if You still haven't it) and inform the Project Admin about Your intention to join to ebtables developers and to make a new ebtables feature. After that You should be able to working with ebtables source code, which is placed at SourceForge cvs repository. Now You can make Your ebtables feature or anything else (to drink a cup of coffee, f.e. ;).

    [Back to the top]