J'ai fait un tas de test mais la je seche

Je recapitule je veux installer un deuxieme serveur PXE sur mon reseau IP
mais je veux le dedier au test et pour cela je configure une station BRIDGE ET FIREWALL en interdisant uniquement le port PXE 4011
et je laisse passer tout le reste.

ETH0 cote serveur de production
ETH1 cote serveur de test

Je vous donne ma configuration :

interfaces :

auto lo
iface lo inet loopback
pre-up /etc/network/if-pre-up.d/iptables-start
post-down /etc/network/if-post-down.d/iptables-stop

# The primary network interface
allow-hotplug br0 eth0 eth1
#iface eth0 inet manual
#iface eth1 inet manual
auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1
bridge_stp off
# bridge_fd 2
bridge_maxwait 0
DHCLIENT_WAIT_AT_BOOT 15

sysctl.conf

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com
#net/ipv4/icmp_echo_ignore_broadcasts=1

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.ip_forward=1

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net/ipv4/icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net/ipv4/icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net/ipv4/conf/all/secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net/ipv4/conf/all/send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net/ipv4/conf/all/accept_source_route = 0
#
# Enable TCP Syn Cookies
#net/ipv4/tcp_syncookies = 1
#
# Log Martian Packets
#net/ipv4/conf/all/log_martians = 1
#
# Always defragment packets
#net/ipv4/ip_always_defrag = 1
# Uncomment the next line to enable packet forwarding for IPv4
# net.ipv4.conf.default.forwarding=1
# Uncomment the next line to enable packet forwarding for IPv6
# net.ipv6.conf.default.forwarding=1
net.ipv4.ip_forward=1

ifconfig

br0 Link encap:Ethernet HWaddr 00:06:29:a9:54:27
inet adr:192.168.1.38 Bcast:10.52.255.255 Masque:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:15922 (15.5 KiB) TX bytes:1710 (1.6 KiB)

eth0 Link encap:Ethernet HWaddr 00:06:29:a9:54:27
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:907 errors:0 dropped:0 overruns:0 frame:0
TX packets:188716 errors:7 dropped:0 overruns:0 carrier:7
collisions:0 lg file transmission:1000
RX bytes:222964 (217.7 KiB) TX bytes:12584667 (12.0 MiB)

eth1 Link encap:Ethernet HWaddr 00:40:ca:7b:54:6a
inet adr:192.168.1.38 Bcast:10.52.255.255 Masque:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:347 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:28128 (27.4 KiB) TX bytes:2553 (2.4 KiB)
Interruption:20

lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:256 errors:0 dropped:0 overruns:0 frame:0
TX packets:256 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:88848 (86.7 KiB) TX bytes:88848 (86.7 KiB)

iptables-start

#!/bin/sh

# FILTRAGE DU PORT 4011 PXE

# REMISE à ZERO des règles de filtrage
iptables -F
iptables -t nat -F

# DEBUT des règles de filtrage
# Pas de filtrage sur l'interface de "loopback"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 4011 -m state --state NEW -j DROP
iptables -A OUTPUT -o eth1 -p tcp --sport 4011 --dport 1024:65535 -m state --state NEW -j DROP
# FIN des règles"

Voila si quelqu'un peut m'aider.

A+

FOREZIEN, tu fais l'inverse de ce qu'on fait habituellment, tu acceptes tout par défaut

iptables -t filter -P INPUT   ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT  ACCEPT

et tu rejettes ce qui passes sur le port 4011 (en supposant que l'interface eth1 soit du côté de ton serveur de production).

iptables -A INPUT  -i eth1 -p tcp --sport  1024:65535  --dport 4011 -m state --state NEW -j DROP
iptables -A OUTPUT  -o eth0 -p tcp  --sport 4011 --dport  1024:65535 -m state --state NEW -j DROP

Attentions, il y a d'autres lignes à mettre entre ces 2 blocs, voir par exemple ce sujet

LeDub qui fait court

Mon reseau est le 192.168.1.1 / 24 passerelle 192.168.1.254
Actuellement j'ai un serveur pxe de production et je voudrais
installer un deuxieme serveur pxe de test mais en l' isolant
via un bridge firewall (une station DEBIAN avec deux carte ethernet)
et interdire uniquement le port 4011.

Je vous remercie d'avance pour votre aide.

FOREZIEN