Re: Confusion about filtering traffic in a bridge scenario

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Marc <ccc@lebertbro.com>
To: Olivier Nicole <olivier2553@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Confusion about filtering traffic in a bridge scenario
Date: Wed, 11 Apr 2012 18:27:11 +0200	[thread overview]
Message-ID: <4F85B0DF.7010905@lebertbro.com> (raw)
In-Reply-To: <CA+g+BvgspbpSvoOT7OyNjyQFf24NCZLwTnZrKbc7OGxmgATGow@mail.gmail.com>

On 11/04/2012 17:36, Olivier Nicole wrote:
> Hi,
>
> On Wed, Apr 11, 2012 at 9:58 PM, Marc <ccc@lebertbro.com> wrote:
>> Hello,
>>
>> I was/am trying to setup packet filtering on a virtualisation host and
>> couldnt get it to work and was hoping for some pointers.
>>
>> Heres the setup:
>>
>> Said host has:
>> eth0 - the physical interface, no address assigned
>> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
>> route assigned to it
>> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>>
>> both eth0 and veth0 are added to the bridge, the networking setup is
>> functional, however I seem to be unable to filter traffic to the VM with
>> iptables. Heres what Ive tried:
>>
>> iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out veth0  -p
>> tcp --dport 22
>>
>> However, this only results in a /var/log/messages entry:
>>
>> kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
>> POSTROUTING chains for non-bridged traffic is not supported anymore.
> As this is bridged traffic, if the in interface is eth0, the out
> interface can only be veth0, omit the -physdev-out that makes problem?
Makes sense. Tried that just now - gets rid of the error message, but
still doesnt block ssh, which leads me to believe that packets heading
for the VM arent even getting to the FORWARD chain. Which in return
leads me to believe that Im missing something fundamental that I dont see.

Regards, Marc

next prev parent reply	other threads:[~2012-04-11 16:27 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-11 14:58 Confusion about filtering traffic in a bridge scenario Marc
2012-04-11 15:13 ` Gáspár Lajos
2012-04-11 15:36 ` Olivier Nicole
2012-04-11 16:27   ` Marc [this message]
2012-04-13  6:06 ` hannah commodore
2012-04-13 12:55   ` Marc

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F85B0DF.7010905@lebertbro.com \
    --to=ccc@lebertbro.com \
    --cc=netfilter@vger.kernel.org \
    --cc=olivier2553@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox