grsecurity forums

I am trying to set up a transparent firewall using the ethernet bridge commands.
What this firewall needs to do is allow ONLY ssh through from the internet, and allow the intranet (Local Lan) to communicate with the outside world.

The internet is coming in through eth0, the local intranet LAN is past eth1

Right now I am testing with a laptop connected to eth1 via crossover cable.
I have tried these commands as spelled out in http://www.linuxjournal.com/article/8172

They do NOT work and do NOT allow the laptop to even do DHCP to get an address.

(Also the grsecurity kernel I tried to compile can't even find the hda1 but that's another story) NOTHING WORKS.

Here's what I tried and failed with:
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ip link set br0 up
/sbin/ip addr add 192.168.0.6 brd + dev br0
/sbin/route add default gw 192.168.0.1 dev br0

The bridge is working.

Now I'm trying to make an ebtable ruleset that:
By default denys all
But lets ssh through to the ssh server (network) (firewall) (internet)
from the internet

and lets HTTP and HTTPS out to the internet from said server:
This however doesn't work!

(ebchains) what do I do?

Bridge chain: FORWARD, entries: 8, policy: DROP
-p IPv4 --ip-proto icmp -j DROP
-p IPv4 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-dport 22 -j ACCEPT
-p IPv4 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-sport 22 -j ACCEPT
-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 80 -j ACCEPT
-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 80 -j ACCEPT
-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 443 -j ACCEPT
-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 443 -j ACCEPT
-p IPv4 -i eth0 --ip-src 192.168.0.22 -j DROP