This was an incredibly frustrating learning curve as everything I could find made it sound like this was the way to configure a firewall in Linux, but it just wasn’t working. This is not the case: bridged packets don’t reach iptables at all! The best I could do was block everything (manual restart needed), or otherwise blow up the configuration (manual restart needed) as I tried to mess with the bridge. We’re halfway there.īeing unfamiliar with iptables (we use OpenBSD and pf for firewalls around here), I was under the impression that iptables rules would work in a bridging environment. Apply these settings, and you’ll basically have an expensive dumb switch – all traffic shows up on every port, and there’s no logic at all. Lastly, under Advanced Routing set the Operating Mode to “Router” so it stops trying to do NAT. This will give you a checkbox to bridge the LAN and WAN: “Assign WAN port to switch”. Once you have the LAN configured, you need to set the WAN connection type to “disabled”. You’ll also need to enable SSH access and remote configuration – but be sure to lock this down once the firewall is running! First, set the LAN to use a static IP and make sure you can connect via another machine to configure it. Next I needed to bridge the WAN port with the LAN ports, which ended up being a struggle until I found the easy options in the dd-wrt GUI. This actually requires a startup script on the router, with a line to remove the wireless module so it won’t try to reenable itself: wl radio off The last thing I want for the firewall is to be broadcasting an SSID and allow wireless associations. The first step after flashing the firmware with the latest dd-wrt build (v24-sp2) was to take off the antennas and turn off the radio. (We bought local so we’d have it sooner, and it was a bit more). We went with the WRT54GL, currently as cheap as $50 on Amazon. Linksys wireless routerīeing familiar with the dd-wrt project, I was pretty sure I could build a firewall out of a Linksys router. Not having a spare on hand, I was scrambling for a solution. Until last week these were protected by an aging OpenBSD firewall running packet filter and all was well until midweek when the motherboard failed. New Media has a number of development servers located in-house where we get stuff done before releasing it out into the wild.