How to block trafic on a bridge interface?

[kitepilot at kitepilot.com]

I did not however know about '-m physdev --physdev-in'
That may be the ticket!   8-)
Will report...
ET 


Michael Butash writes: 

> I was curious too as usually not ever doing bridging within linux, and not 
> to be an arse, but googling "iptables bridge filter" for you seemed to 
> turn up interesting results first: 
> 
> http://serverfault.com/questions/607224/iptables-matching-packets-for-brid 
> ged-interface 
> 
> I never knew about ebtables myself, so great question none the less. 
> 
> -mb 
> 
>  
> 
> On 12/23/2015 01:20 AM, kitepilot at kitepilot.com wrote:
>> Hello there...
>> I have a 2-nics Linux box configured as a bridge 'br0'.
>> World comes in via either nic (eth0 or eth1) and network is fed via the 
>> other nic (eth1 or eth0 depending on above, should be irrelevant).
>> I have a non trivial question and PLEASE avoid the 'use iptables' answer 
>> unless you know what rule to apply to which chain and on which interface 
>> (eth0/eth1/br0).
>> Non trivial question is:
>> How do I block specific IP addresses/networks from traversing the bridge?
>> Or in other words:
>> I want all connections from a particular address/subnet to be DROP(ed) in 
>> that bridge.
>> Neither FORWARD nor INPUT will catch the packet in br0 because it is 
>> neither addressed to the box not NAT(ed), and apparently neither eth0 nor 
>> eth1 will hand packets to netfilter.
>> Thanks.
>> ET
>> PS: Merry Xmas to all...   :)
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss