The setup:
- Ubuntu 20.04 box with 5 physical ethernet ports (let's call them eth1 - eth5).
What I'm trying to do:
- Configure eth2-eth5 as a switch, so they can all talk to each other without restriction.
- Configure eth1 as a connection to the outside, allowing (but limiting) what the outside can send to anything connected on eth2 - eth5.
- In particular I want to disallow UDP broadcasts coming in through eth1 to propagate to the other ports but I'm also thinking I could whitelist ports (e.g. someone connected through eth1 can use UDP/TCP port 7000-7010 on eth2 - eth5, but nothing else. Eth2-5 can do whatever they want to each other.)
I'm just not sure how to setup the rules that keeps 2-5 freely communicating while limiting what comes in from 1, destined for 2-5. I don't even know if I'm trying to use the right tools.
What I have figured out how to do:
- Created a bridge ("br0"). Bridged the ports together. Connected computers can all ping each other. ✅
What I can't figure out:
- How to setup the filters I want. ❌
- ...should eth1 maybe not be on the bridge, and just has individual forwarding rules for each of the other eth ports? (How do I do that?)
- Filters should (hopefully) not be IP based. i.e. I don't always want to plug in "192.168.1.10" into eth2. I want "whatever is on eth2" to be treated with these rules regardless of IP.
(disclaimer: my level of knowledge on this is about a 2. Out of 100. There's loads of Q&A on iptables to read through but none are quite getting me to where I need, or are so specific that I can't figure out how to apply it to what I'm trying to do)
