Confusion about filtering traffic in a bridge scenario

Confusion about filtering traffic in a bridge scenario

[Marc]

Hello,

I was/am trying to setup packet filtering on a virtualisation host and
couldnt get it to work and was hoping for some pointers.

Heres the setup:

Said host has:
eth0 - the physical interface, no address assigned
br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
route assigned to it
veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1

both eth0 and veth0 are added to the bridge, the networking setup is
functional, however I seem to be unable to filter traffic to the VM with
iptables. Heres what Ive tried:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out veth0  -p
tcp --dport 22

However, this only results in a /var/log/messages entry:

kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore.

Since this _IS_ in fact bridged traffic, I dont see why I would get this
error?

Maybe Im looking at it the completely wrong way and physdev isnt even
the way to go here anymore, I dont know. Any kind of help is greatly
appreciated.

Oh, I figured I should add the following information:

Kernel is Linux 2.6.32-11, running Debian stable (6.0.4)

/etc/sysctl.conf contains these:

net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv6.conf.all.proxy_ndp=1
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

iptables -I FORWARD -j REJECT -p tcp -i veth0 --dport 22
didnt stop ssh from working either

Regards, Marc

Re: Confusion about filtering traffic in a bridge scenario

[Gáspár Lajos]

Hi Marc,

2012-04-11 16:58 keltezéssel, Marc írta:
> Hello,
>
> I was/am trying to setup packet filtering on a virtualisation host and
> couldnt get it to work and was hoping for some pointers.
>
> Heres the setup:
>
> Said host has:
> eth0 - the physical interface, no address assigned
> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
> route assigned to it
> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>
> both eth0 and veth0 are added to the bridge, the networking setup is
> functional, however I seem to be unable to filter traffic to the VM with
> iptables. Heres what Ive tried:
If I were you, I would set up my network as follows:

Real network
- eth0: IP: 10.0.0.1 Gateway: w.x.y.z

Virtual network
- br0:  IP:192.168.0.254 (this is the "internal" "network" of VMs)
- veth0: IP: 192.168.0.1 Gateway: 192.168.0.254 (a virtual interface of 
a VM)

The VMs would see your host as a gateway... With this setup you can 
simply use the FORWARD chain for NAT/filter/etc....

Swifty

Re: Confusion about filtering traffic in a bridge scenario

[Olivier Nicole]

Hi,

On Wed, Apr 11, 2012 at 9:58 PM, Marc <ccc@lebertbro.com> wrote:
> Hello,
>
> I was/am trying to setup packet filtering on a virtualisation host and
> couldnt get it to work and was hoping for some pointers.
>
> Heres the setup:
>
> Said host has:
> eth0 - the physical interface, no address assigned
> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
> route assigned to it
> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>
> both eth0 and veth0 are added to the bridge, the networking setup is
> functional, however I seem to be unable to filter traffic to the VM with
> iptables. Heres what Ive tried:
>
> iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out veth0  -p
> tcp --dport 22
>
> However, this only results in a /var/log/messages entry:
>
> kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
> POSTROUTING chains for non-bridged traffic is not supported anymore.

As this is bridged traffic, if the in interface is eth0, the out
interface can only be veth0, omit the -physdev-out that makes problem?

Olivier

> Since this _IS_ in fact bridged traffic, I dont see why I would get this
> error?
>
> Maybe Im looking at it the completely wrong way and physdev isnt even
> the way to go here anymore, I dont know. Any kind of help is greatly
> appreciated.
>
> Oh, I figured I should add the following information:
>
> Kernel is Linux 2.6.32-11, running Debian stable (6.0.4)
>
> /etc/sysctl.conf contains these:
>
> net.ipv4.ip_forward=1
> net.ipv4.conf.all.rp_filter=1
> net.ipv4.icmp_echo_ignore_broadcasts=1
> net.ipv6.conf.all.proxy_ndp=1
> net.bridge.bridge-nf-call-arptables = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
>
> iptables -I FORWARD -j REJECT -p tcp -i veth0 --dport 22
> didnt stop ssh from working either
>
> Regards, Marc
>
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Confusion about filtering traffic in a bridge scenario

[Marc]

On 11/04/2012 17:36, Olivier Nicole wrote:
> Hi,
>
> On Wed, Apr 11, 2012 at 9:58 PM, Marc <ccc@lebertbro.com> wrote:
>> Hello,
>>
>> I was/am trying to setup packet filtering on a virtualisation host and
>> couldnt get it to work and was hoping for some pointers.
>>
>> Heres the setup:
>>
>> Said host has:
>> eth0 - the physical interface, no address assigned
>> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
>> route assigned to it
>> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>>
>> both eth0 and veth0 are added to the bridge, the networking setup is
>> functional, however I seem to be unable to filter traffic to the VM with
>> iptables. Heres what Ive tried:
>>
>> iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out veth0  -p
>> tcp --dport 22
>>
>> However, this only results in a /var/log/messages entry:
>>
>> kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
>> POSTROUTING chains for non-bridged traffic is not supported anymore.
> As this is bridged traffic, if the in interface is eth0, the out
> interface can only be veth0, omit the -physdev-out that makes problem?
Makes sense. Tried that just now - gets rid of the error message, but
still doesnt block ssh, which leads me to believe that packets heading
for the VM arent even getting to the FORWARD chain. Which in return
leads me to believe that Im missing something fundamental that I dont see.

Regards, Marc

Re: Confusion about filtering traffic in a bridge scenario

[hannah commodore]

On Thu, Apr 12, 2012 at 00:58, Marc <ccc@lebertbro.com> wrote:
> I was/am trying to setup packet filtering on a virtualisation host and
> couldnt get it to work and was hoping for some pointers.
>
> Heres the setup:
>
> Said host has:
> eth0 - the physical interface, no address assigned
> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
> route assigned to it
> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>
> both eth0 and veth0 are added to the bridge, the networking setup is
> functional, however I seem to be unable to filter traffic to the VM with
> iptables

do you use /etc/network/interfaces to create the bridge interface?

I've noticed in Debian that sysctl.conf is applied before the
if-up.d/bridge script has a chance to load the bridge module. as a
result, the sysctl for net.bridge remain the default.
i needed to add a post-up to my config to overcome this

what is the current setting of net.bridge.bridge-nf-call-iptables?

does re-applying sysctl.conf allow iptables to then pick up bridged
traffic (sysctl -p)?

Re: Confusion about filtering traffic in a bridge scenario

[Marc]

On 13/04/2012 08:06, hannah commodore wrote:
> On Thu, Apr 12, 2012 at 00:58, Marc <ccc@lebertbro.com> wrote:
>> I was/am trying to setup packet filtering on a virtualisation host and
>> couldnt get it to work and was hoping for some pointers.
>>
>> Heres the setup:
>>
>> Said host has:
>> eth0 - the physical interface, no address assigned
>> br0 - the bridge interface, has IP 10.0.0.1 and gateway and default
>> route assigned to it
>> veth0 - the virtual interface for one of the VMs, has IP 192.168.0.1
>>
>> both eth0 and veth0 are added to the bridge, the networking setup is
>> functional, however I seem to be unable to filter traffic to the VM with
>> iptables
> do you use /etc/network/interfaces to create the bridge interface?
>
> I've noticed in Debian that sysctl.conf is applied before the
> if-up.d/bridge script has a chance to load the bridge module. as a
> result, the sysctl for net.bridge remain the default.
> i needed to add a post-up to my config to overcome this
>
> what is the current setting of net.bridge.bridge-nf-call-iptables?
>
> does re-applying sysctl.conf allow iptables to then pick up bridged
> traffic (sysctl -p)?
Thank you very much! This was indeed the problem! I have manually
enabled net.bridge.bridge-nf-call-(ip(6)/arp)tables and that fixed the
problem. I have now also added post-up entries to the bridge to do this
on reboots.

esac

Regards, Marc