I'm trying to make a bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working Sad This is what I have so far. When I set the default policy to allow everything gets through, when deny nothing gets through: Here is the net setup: squid/sshserver --> eth1 [firewall] eth0 ---> Internet What is supposed to be allowed: ssh server (port 22 TCP) <--eth1 [firewall] eth0 <--- Internet ssh/squidserver --> eth1 [firewall] eth0 --> Internet (ports 80 and 443 TCP) What is supposed to be disallowed (spoofed ip w/o proper squidserver mac address going out) (anything else coming in) (probably anything else going out aswell (maybe allow dns, dhcp) This blocks EVERYTHING. It COMPLETELY IGNORES THE RULESET (The only thing it doesn't ignore is the policy) Code: ebtables -F FORWARD ebtables -P FORWARD DROP ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.21 -j ACCEPT ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.21 -j ACCEPT ebtables -A FORWARD -p ip --ip-src 192.168.0.21 -s ! 00:08:0D:54:13:C9 -j DROP ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.21 --ip-proto tcp --ip-source-port 80 -j ACCEPT ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.21 --ip-proto tcp --ip-destination-port 80 -j ACCEPT ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.21 --ip-proto tcp --ip-source-port 443 -j ACCEPT ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.21 --ip-proto tcp --ip-destination-port 443 -j ACCEPT Why doesn't this work? Isn't it supposed to consider the exception rules? (I'm testing by trying to SSH to the box, and trying to go to the IP of a webserver across the bridge from the box)