Basic usage of ebtables

Similar to iptables, ebtables is a configuration tool for network packet filtering in Linux. Since it is called a configuration tool, that is, the filtering function is supported by the kernel underlying layer, these two tools are only responsible for formulating the filtering rules. ebtables is the Ethernet bridge firewall. The Ethernet bridge works at the data link layer. ebtables filters data at the data link layer. ebtables and IptablesSimilarly, they are all configuration tools for filtering network data packets in Linux. Since it is called a configuration tool, that is, the filtering function is supported by the kernel underlying layer, these two tools are only responsible for formulating the filtering rules.
Ebtables is the Ethernet bridge firewall. The Ethernet bridge works on the data link layer, and ebtables filters data link layer packets. The 2.6 kernel has an ebtables built in, and to use it, you must first install the ebtables User space tool (ebtables-v2.0.6). after installation, you can use ebtables to filter Bridge packets. Set the ebtables rules as follows:
1: All data packets pass by default
2: identify the source address, destination address, source port, and destination port
3: filter TCP and UDPP data packets separately
Ebtables is mainly used to control the data link layer. in the kernel, ebtables's data interception points are more advanced than iptables, and the data obtained is more primitive. ebtables is used in bridge mode, for example, control vlan id.
Ebtables is like the iptables of the Ethernet bridge. Iptables cannot filter traffic bridging, whereas ebtables can. Ebtables is not suitable for Internet firewalls.

I. filtering time
To understand the filtering time, first understand the conversion process in the system after the network packet enters the network card. see:

We can see that the data packet enters and leaves the system and goes through the PreRoute, Input, Forward, Output, and PostRoute stages. Each stage includes some nodes, and each node is a filtering time. When a data packet is routed to a node, the system detects and filters the filtering rules of the corresponding node. We can also find that for each stage, the ebtables filtering time is earlier than iptables.
II. ebtables configuration
The configuration of ebtables is divided into three levels: table, chain, and rule.
1. table
The table is built-in and fixed. There are three types of tables: filter, nat, and broute, which are specified using the-t option. Filter is the most commonly used one. Therefore, if-t is not set, this table is used by default. Nat is used for address translation, and broute is used for Ethernet bridges.
2. chain
There are two types of links: built-in and custom. Different tables have different built-in links, which can be seen from the data packet flowchart. The custom chain is also attached to the corresponding built-in chain. use-j to redirect it to the new chain.
3. rules
Each chain has a series of rules, and each rule defines some filtering options. Each data packet matches these items. Once successful, the corresponding action is performed.
The so-called action is the act of filtering. There are four types: ACCEPT, DROP, RETURN, and CONTINUE. ACCEPT and DROP are commonly used, and the other two are not described in detail.
The rules for using Ebtables are as follows:
Ebtables [-t table]-[ADI] chain rule-specification [match-extensions] [watcher-extensions]
-T table: Generally FORWARD chain.
-ADI: A is added to the end of the existing chain. D. delete the rule chain (rule chain number must be specified). I. insert A new rule chain (rule chain number must be specified ).
-P: set the default rules of the rule table. You can DROP, ACCEPT, and RETURN.
-F: clears the rule chain of all rule tables.
-L: specifies the rule table. Add parameter, -- Lc, -- Ln
-P: indicates the protocol type used. it is optional for ipv4 and arp (required for use). For details, see/etc/ethertypes.
-- Ip-proto: indicates the type of the ip packet. 1 indicates an ICMP packet, 6 indicates a TCP packet, and 17 indicates a UDP packet. for details, see/etc/protocols.
-- Ip-src: ip package source address
-- Ip-dst: ip package destination address
-- Ip-sport: source port of the ip package
-- Ip-dport: destination port of the ip package
-I: indicates that the network card enters
-O: specify the NIC to be removed from.
III. basic ebtables commands
With the simple introduction above, you can use it by familiarizing yourself with some basic commands.
1. list:
Ebtables-L
Ebtables-L? Lc to view the matching times and number of bytes of each rule
2. create/delete a chain
Ebtables-N
Ebtables-X
3. create a rule
Ebtables- [Rules]
[Rules] there are several
-S source MAC-d target MAC-I inbound interface-o outbound interface
Command example:
Ebtables-P FORWARD ACCEPT
Ebtables-P INPUT ACCEPT
Ebtables-P OUTPUT ACCEPT
Ebtables-F
Ebtables-a forward-p ipv4-I eth0/eth1 -- ip-proto (6/17) -- ip-dst (Destination IP) -- ip-dport (destination port)-j DROP
Ebtables-a fprward-p ipv4-I eth0/eth1 -- ip-proto (7/17) -- ip-src (source IP) -- ip-sport (source port)-j DROP