How to block trafic on a bridge interface?
kitepilot at kitepilot.com
kitepilot at kitepilot.com
Wed Dec 23 11:47:35 MST 2015
Well...
This seems to work:
iptables -t raw -A PREROUTING -d 172.27.0.111 -j DROP
iptables -t raw -A PREROUTING -s 172.27.0.111 -j DROP
So far...
ET
kitepilot at kitepilot.com writes:
> I did not however know about '-m physdev --physdev-in'
> That may be the ticket! 8-)
> Will report...
> ET
>
>
> Michael Butash writes:
>
>> I was curious too as usually not ever doing bridging within linux, and
>> not to be an arse, but googling "iptables bridge filter" for you seemed
>> to turn up interesting results first:
>>
>> http://serverfault.com/questions/607224/iptables-matching-packets-for-bri
>> d ged-interface
>>
>> I never knew about ebtables myself, so great question none the less.
>>
>> -mb
>>
>>
>>
>> On 12/23/2015 01:20 AM, kitepilot at kitepilot.com wrote:
>>> Hello there...
>>> I have a 2-nics Linux box configured as a bridge 'br0'.
>>> World comes in via either nic (eth0 or eth1) and network is fed via the
>>> other nic (eth1 or eth0 depending on above, should be irrelevant).
>>> I have a non trivial question and PLEASE avoid the 'use iptables' answer
>>> unless you know what rule to apply to which chain and on which interface
>>> (eth0/eth1/br0).
>>> Non trivial question is:
>>> How do I block specific IP addresses/networks from traversing the
>>> bridge?
>>> Or in other words:
>>> I want all connections from a particular address/subnet to be DROP(ed)
>>> in that bridge.
>>> Neither FORWARD nor INPUT will catch the packet in br0 because it is
>>> neither addressed to the box not NAT(ed), and apparently neither eth0
>>> nor eth1 will hand packets to netfilter.
>>> Thanks.
>>> ET
>>> PS: Merry Xmas to all... :)
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list