Hi Netfilter.I'm facing a problem with setting up an iptables ruleset on a machine with a bridged interface.
hn2 ~ # brctl show bridge name bridge id STP enabled interfaces br0 8000.001e67d35bee no eth0 one-259-0 hn2 ~ #What i'm trying to accomplish is firewall the interface one-259-0. But no matter what i'm trying there is no traffic filtered. It goes just plain through. The effect stays same with or without:
hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-iptables 1 hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-arptables 1 hn2 ~ #Here is the running ruleset. I hope someone can point me to the right direction.
hn2 ~ # iptables -nvL Chain INPUT (policy ACCEPT 1003 packets, 86232 bytes)pkts bytes target prot opt in out source destination 6792 390K ACCEPT tcp -- * * nice.ip.yeah.right 0.0.0.0/0 tcp dpts:5900:6999 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5900:6999
Chain FORWARD (policy ACCEPT 435K packets, 472M bytes)pkts bytes target prot opt in out source destination 59 3323 opennebula all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged 11975 685K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 4
Chain OUTPUT (policy ACCEPT 877 packets, 141K bytes)pkts bytes target prot opt in out source destination
Chain one-259-0-i (1 references)pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443 58 2944 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain one-259-0-o (1 references)pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! 02:00:2E:04:94:D8 1 379 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set one-259-0-ip-spoofing src 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain opennebula (1 references)pkts bytes target prot opt in out source destination 1 379 one-259-0-o all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in one-259-0 --physdev-is-bridged 58 2944 one-259-0-i all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out one-259-0 --physdev-is-bridged 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
hn2 ~ #Just to sum that up. I just wanna traffic on port 22 and 443 passed to the bridge member one-259-0. But at the moment i can connect to port 80 fine.
thanks and cheers t.
Attachment:
0xF5437AA0.asc
Description: application/pgp-keys