On 11/04/2012 17:36, Olivier Nicole wrote: > Hi, > > On Wed, Apr 11, 2012 at 9:58 PM, Marc <ccc@xxxxxxxxxxxxx> wrote: >> Hello, >> >> I was/am trying to setup packet filtering on a virtualisation host and >> couldnt get it to work and was hoping for some pointers. >> >> Heres the setup: >> >> Said host has: >> eth0 - the physical interface, no address assigned >> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default >> route assigned to it >> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1 >> >> both eth0 and veth0 are added to the bridge, the networking setup is >> functional, however I seem to be unable to filter traffic to the VM with >> iptables. Heres what Ive tried: >> >> iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out veth0 -p >> tcp --dport 22 >> >> However, this only results in a /var/log/messages entry: >> >> kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and >> POSTROUTING chains for non-bridged traffic is not supported anymore. > As this is bridged traffic, if the in interface is eth0, the out > interface can only be veth0, omit the -physdev-out that makes problem? Makes sense. Tried that just now - gets rid of the error message, but still doesnt block ssh, which leads me to believe that packets heading for the VM arent even getting to the FORWARD chain. Which in return leads me to believe that Im missing something fundamental that I dont see. Regards, Marc -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
