How to block trafic on a bridge interface?
kitepilot at kitepilot.com
kitepilot at kitepilot.com
Wed Dec 23 09:38:25 MST 2015
This is an entirely different case, there are '2' interfaces here:
br0 and eth2
And it is logging a 'route'
In my case, there is only 'br0', and I want to drop traffic on the grounds
of IP specific addresses (mainly Eastern Europe and Asia), either in or out
and regardless of the interface,
But from what I see, INPUT and FORWARD will not work and neither 'ethX' will
ever see the packet because it is handled on the 'br0' stack.
There's gotta be a $%#@ way... :(
But thanks...
ET
PS: ebtables won't work either because it works on MAC addresses.
Think about it...
Michael Butash writes:
> I was curious too as usually not ever doing bridging within linux, and not
> to be an arse, but googling "iptables bridge filter" for you seemed to
> turn up interesting results first:
>
> http://serverfault.com/questions/607224/iptables-matching-packets-for-brid
> ged-interface
>
> I never knew about ebtables myself, so great question none the less.
>
> -mb
>
>
>
> On 12/23/2015 01:20 AM, kitepilot at kitepilot.com wrote:
>> Hello there...
>> I have a 2-nics Linux box configured as a bridge 'br0'.
>> World comes in via either nic (eth0 or eth1) and network is fed via the
>> other nic (eth1 or eth0 depending on above, should be irrelevant).
>> I have a non trivial question and PLEASE avoid the 'use iptables' answer
>> unless you know what rule to apply to which chain and on which interface
>> (eth0/eth1/br0).
>> Non trivial question is:
>> How do I block specific IP addresses/networks from traversing the bridge?
>> Or in other words:
>> I want all connections from a particular address/subnet to be DROP(ed) in
>> that bridge.
>> Neither FORWARD nor INPUT will catch the packet in br0 because it is
>> neither addressed to the box not NAT(ed), and apparently neither eth0 nor
>> eth1 will hand packets to netfilter.
>> Thanks.
>> ET
>> PS: Merry Xmas to all... :)
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list