"PHYSDEV match --physdev-is-bridged" problems

Thomas Stein <himbeere@xxxxxxxxxxxx> · Thu, 29 Sep 2016 19:22:13 +0200

Hi Netfilter.

I'm facing a problem with setting up an iptables ruleset on a machine 
with a bridged interface.

hn2 ~ # brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.001e67d35bee       no              eth0
                                                        one-259-0
hn2 ~ #

What i'm trying to accomplish is firewall the interface one-259-0. But 
no matter what i'm trying there is no traffic
filtered. It goes just plain through. The effect stays same with or 
without:

hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-iptables
1
hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-arptables
1
hn2 ~ #

Here is the running ruleset. I hope someone can point me to the right 
direction.

hn2 ~ # iptables -nvL
Chain INPUT (policy ACCEPT 1003 packets, 86232 bytes)
 pkts bytes target     prot opt in     out     source               
destination
 6792  390K ACCEPT     tcp  --  *      *       nice.ip.yeah.right        
0.0.0.0/0            tcp dpts:5900:6999
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp dpts:5900:6999

Chain FORWARD (policy ACCEPT 435K packets, 472M bytes)
 pkts bytes target     prot opt in     out     source               
destination
   59  3323 opennebula  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            PHYSDEV match --physdev-is-bridged
11975  685K LOG        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp dpt:22 LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 877 packets, 141K bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain one-259-0-i (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            multiport dports 22
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            multiport dports 443
   58  2944 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain one-259-0-o (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            MAC ! 02:00:2E:04:94:D8
    1   379 ACCEPT     udp  --  *      *       0.0.0.0              
255.255.255.255      udp spt:68 dpt:67
    0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0            ! match-set one-259-0-ip-spoofing src
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 RETURN     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain opennebula (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    1   379 one-259-0-o  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            PHYSDEV match --physdev-in one-259-0 
--physdev-is-bridged
   58  2944 one-259-0-i  all  --  *      *       0.0.0.0/0            
0.0.0.0/0            PHYSDEV match --physdev-out one-259-0 
--physdev-is-bridged
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0
hn2 ~ #

Just to sum that up. I just wanna traffic on port 22 and 443 passed to 
the bridge member one-259-0. But at the moment i can connect to port 80 
fine.

thanks and cheers
t.
Attachment:
0xF5437AA0.asc

Description: application/pgp-keys