iptables and slave interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

newbie sort of question:
does slave ifs of a bridge need to iptabled? does one need
to forward/input etc.. them? It should be only bridges in
this situation, right?

also maybe someone could share his/her thoughts on this one
problem I have, that boggles my mind for I'm unable to fix
it, namely:

I had to introduce additional routing tablesand rules in
order to allow for source based routing, before it was working
what was? - guests(VMs) behind a bridge interface(that
comprised of tap interfaces, one tap IF per VM) could
see/reach hostsystem one specific, separate/physical interface
now these guests cannot do that anymore, I think ever since
I introduced source based routes into this environment
I should try to provide you with better picture....

VM(via tap) --- HOST
VM(via tap) --- ------ > br0(taps + em4 + eth0); br1(em1 +
eth1); em2; em3
etc ...... ---

now, VMsreach allthe interfaces but one em3! VMs also reach
outside world to which em3 is the gateway(masquerade)
naturally VMS are reachable from the HOST itself and each
other, but not from/behind br1

VMs are on/behind br0
here are rutes+rules:

ip route add table internal from 172.25.12.0/24 to
192.168.2.64/27 via 192.168.2.65 dev br0
ip route add table internal from 172.25.12.0/24 to
192.168.2.0/24 via 192.168.2.100 dev br1
ip route add table internal to 172.25.12.0/24 via
172.25.12.203 dev em2

ip route add table external to 192.168.2.0/24 via 192.168.2.100
ip route add table external to 192.168.2.0/27 via 192.168.2.65
ip route add table external to ext_NET/24 dev em3

ip route add table external default viaext_IP(via em3)

ip rule add from 172.25.12.0/24 table internal
ip rule add from 192.168.2.0/24 table internal
ip rule add from ext_NET table external

or is it iptables?? but there is:
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i br+ -o br+ -m state --state NEW -j ACCEPT

i really cannot get my head around it, have tampered with
routes+rules, iptables..cannot..
anybody's input much! appreciated
regards

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux