Re: How to block trafic on a bridge interface?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMkitepilot@kitepilot.com at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: kitepilot@kitepilot.com
Date:  
To: Main PLUG discussion list
Subject: Re: How to block trafic on a bridge interface?
Well...
This seems to work:
iptables -t raw -A PREROUTING -d 172.27.0.111 -j DROP
iptables -t raw -A PREROUTING -s 172.27.0.111 -j DROP
So far...
ET


writes:

> I did not however know about '-m physdev --physdev-in'
> That may be the ticket! 8-)
> Will report...
> ET
>
>
> Michael Butash writes:
>
>> I was curious too as usually not ever doing bridging within linux, and
>> not to be an arse, but googling "iptables bridge filter" for you seemed
>> to turn up interesting results first:
>>
>> http://serverfault.com/questions/607224/iptables-matching-packets-for-bri
>> d ged-interface
>>
>> I never knew about ebtables myself, so great question none the less.
>>
>> -mb
>>
>>
>>
>> On 12/23/2015 01:20 AM, wrote:
>>> Hello there...
>>> I have a 2-nics Linux box configured as a bridge 'br0'.
>>> World comes in via either nic (eth0 or eth1) and network is fed via the
>>> other nic (eth1 or eth0 depending on above, should be irrelevant).
>>> I have a non trivial question and PLEASE avoid the 'use iptables' answer
>>> unless you know what rule to apply to which chain and on which interface
>>> (eth0/eth1/br0).
>>> Non trivial question is:
>>> How do I block specific IP addresses/networks from traversing the
>>> bridge?
>>> Or in other words:
>>> I want all connections from a particular address/subnet to be DROP(ed)
>>> in that bridge.
>>> Neither FORWARD nor INPUT will catch the packet in br0 because it is
>>> neither addressed to the box not NAT(ed), and apparently neither eth0
>>> nor eth1 will hand packets to netfilter.
>>> Thanks.
>>> ET
>>> PS: Merry Xmas to all... :)
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: XsaneRe: Xsane->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)