Bridge 802.1x traffic between eth0<->eth1, IP NAT eth0<->eth2

Question

Summary:

Given a Linux system (Ubuntu 16.04) with 3 physical ethernet interfaces:

eth0: WAN eth1: EAPoL authenticator eth2: Client LAN

I am attempting to configure this:

Bridge br0: eth0<->eth1
ebtables rules to only forward EAPoL traffic
IP NAT the remaining traffic br0<->eth2 (everything except the ethernet frames which are type EAPoL)
The eth0 port would use a spoofed mac (matching the EAPoL authenticator)

The desired end result here is that client computers connected to eth2 could connect to the WAN. The WAN requires 802.1x authentication, which would be bridged to the EAPoL authenticator device attached to eth1.

I was inspired initially by this post, but had trouble getting his configuration working:

https://www.dslreports.com/forum/r30708210-AT-T-Residential-Gateway-Bypass-True-bridge-mode

Questions:

1.) The bridge configuration seems to work, a tcpdump will show me the EAPoL traffic on eth1, however I am having trouble getting the vlan to get dhcp info, using dhclient just hangs. I am not sure I understand the purpose of the vlan here, if I spoof the mac of eth0 is this part even necessary?

2.) It's not clear to me how I would NAT the remaining traffic (everything that isnt EAPoL) between eth0<->eth2. Would I just define an iptables NAT between the interfaces themselves, like this:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth2 -j ACCEPT
iptables -A INPUT 1 -i eth2 -j ACCEPT

The problem I'm running into is that I can either configure one or the other, not both. I can either have the system bridging EAPOL between eth0<->eth1 OR I can IP NAT between eth0<->eth2, but I'm not able to configure both working together. Any suggestions or advice?

Thank you

Edits:

ebtables configuration to filter ethernet frames for EAPoL traffic:

    ebtables -t filter -A FORWARD -i eth1 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth1 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth1 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth1 -p 802_1Q -j DROP

With ebtables, see code block I just added in original post with ebtables configuration — RandomUser, Sep 02 '16 at 21:31
@Hoofamon Did you achive your goal? I'm also interested in forcing Linux to behave like switch with port security on EAPoL. — killdaclick, Mar 02 '17 at 08:54

Bridge 802.1x traffic between eth0<->eth1, IP NAT eth0<->eth2

0 Answers0