iptables filtering when bridging

iptables filtering when bridging

[David]

[-- Attachment #1.1: Type: text/plain, Size: 1299 bytes --]

Still sort of new to Xen, and have been playing around with it bridging
ethernet traffic between Dom0 and DomU.  I'm trying to figure out how to
have iptables filtering performed in Dom0 when bridging.

I've found some references to using the following command:
ebtables -t broute -A BROUTING -p ipv4 --ip-proto 6 --ip-dport 80 -j
redirect --redirect-target ACCEPT

(For now, I just want to filter Web traffic).

Using the above rule, and logging the ebtables and iptables traffic, I see
that traffic is going into the ebtables' Filter table's Input chain, but
then I see no activity after that.  The Web browser in DomU never sees any
packets.  Based on http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png,
the packet appears to be going the right way, but I can't make it go any
further.

Is it possible to have the packets go through the iptables Filter tables in
Dom0?  What I'd eventually like to get to is running squid in Dom0 to proxy
and filter Web traffic, but I cannot seem to get the traffic to flow
properly when in bridging mode.  Based on other searches, I've tried (with
squid configured and running in Dom0):

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

This does not seem to work.  Any insight into how to get this working would
be appreciated.

[-- Attachment #1.2: Type: text/html, Size: 1589 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: iptables filtering when bridging

[Mark McLoughlin]

Hi,

On Wed, 2007-05-09 at 10:04 -0400, David wrote:

>   Based on http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png,
> the packet appears to be going the right way, but I can't make it go
> any further.
> 
> Is it possible to have the packets go through the iptables Filter
> tables in Dom0? 

	Yep, packets should be going through iptables as they traverse the
bridge in Dom0 (as the diagram shows), unless it's explicitly disabled.
What does:

  $> sysctl net.bridge.bridge-nf-call-iptables

	show? (It should be "1")

Cheers,
Mark.

Re: iptables filtering when bridging

[David]

[-- Attachment #1.1: Type: text/plain, Size: 858 bytes --]

On 5/10/07, Mark McLoughlin <markmc@redhat.com> wrote:
>
> Hi,
>
> On Wed, 2007-05-09 at 10:04 -0400, David wrote:
>
> >   Based on http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png,
> > the packet appears to be going the right way, but I can't make it go
> > any further.
> >
> > Is it possible to have the packets go through the iptables Filter
> > tables in Dom0?
>
>         Yep, packets should be going through iptables as they traverse the
> bridge in Dom0 (as the diagram shows), unless it's explicitly disabled.
> What does:
>
>   $> sysctl net.bridge.bridge-nf-call-iptables
>
>         show? (It should be "1")



It is showing "1".   Based on my iptables logging, I do see the packet going
through iptables' Magle and Nat Prerouting chains.  It then goes into
ebtables' Filter Input chain, and then there is no more logging.


Thanks,
David

[-- Attachment #1.2: Type: text/html, Size: 1423 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel