Re: Confusion about filtering traffic in a bridge scenario

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marc <ccc@lebertbro.com>
To: hannah commodore <teargas@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Confusion about filtering traffic in a bridge scenario
Date: Fri, 13 Apr 2012 14:55:21 +0200	[thread overview]
Message-ID: <4F882239.7030404@lebertbro.com> (raw)
In-Reply-To: <CAHaYD9jLFw0Xfc3ytM9FLVPe4c_SzKAnaHdy8de1_AD85Sxx7g@mail.gmail.com>

On 13/04/2012 08:06, hannah commodore wrote:
> On Thu, Apr 12, 2012 at 00:58, Marc <ccc@lebertbro.com> wrote:
>> I was/am trying to setup packet filtering on a virtualisation host and
>> couldnt get it to work and was hoping for some pointers.
>>
>> Heres the setup:
>>
>> Said host has:
>> eth0 - the physical interface, no address assigned
>> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
>> route assigned to it
>> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>>
>> both eth0 and veth0 are added to the bridge, the networking setup is
>> functional, however I seem to be unable to filter traffic to the VM with
>> iptables
> do you use /etc/network/interfaces to create the bridge interface?
>
> I've noticed in Debian that sysctl.conf is applied before the
> if-up.d/bridge script has a chance to load the bridge module. as a
> result, the sysctl for net.bridge remain the default.
> i needed to add a post-up to my config to overcome this
>
> what is the current setting of net.bridge.bridge-nf-call-iptables?
>
> does re-applying sysctl.conf allow iptables to then pick up bridged
> traffic (sysctl -p)?
Thank you very much! This was indeed the problem! I have manually
enabled net.bridge.bridge-nf-call-(ip(6)/arp)tables and that fixed the
problem. I have now also added post-up entries to the bridge to do this
on reboots.

esac

Regards, Marc

     prev parent reply	other threads:[~2012-04-13 12:55 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-11 14:58 Confusion about filtering traffic in a bridge scenario Marc
2012-04-11 15:13 ` Gáspár Lajos
2012-04-11 15:36 ` Olivier Nicole
2012-04-11 16:27   ` Marc
2012-04-13  6:06 ` hannah commodore
2012-04-13 12:55   ` Marc [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F882239.7030404@lebertbro.com \
    --to=ccc@lebertbro.com \
    --cc=netfilter@vger.kernel.org \
    --cc=teargas@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.