Iptables: Matching packets leaving a bridged interface

Iptables: Matching packets leaving a bridged interface

[Jamie Cockburn]

Apologies if you've already seen this over on serverfault or stackoverflow, but it's been on there for several days now, and I've had absolutely no traction...

I'm building a firewall configuration tool based on iptables, and trying to get a "bump in the wire" scenario working.

Given a setup with eth0 and eth1 in a bridge br0 and a third interface eth2.

In this scenario, lets say I want TCP port 80 traffic to be dropped if it is going to the network attached to eth0, but allow it to eth1.

I am therefore trying to reliably match packets that go out over the specific interface eth0.

If I add the following iptables rule in the filter table:

    -A FORWARD -o br0 --physdev-out eth0 -j LOG

Given a packet that originates from eth1 (the other half of the bridge), then the rule matches just fine, logging:

    ... IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 ...

However if the packet origniates from eth2, then the rule no longer matches.

I appears that the routing algorithm can't determine which of the bridged interfaces to choose, so the packet is sent out over both interfaces in the bridge.

If I add another more promiscuous log rule, then I get the following log output for that packet:

    ... IN=eth2 OUT=br0 ...

My guess is that in the first case, the routing algorithm can just choose the other interface on the bridge since that packet shouldn't go out the way it came.  In the second case, it hasn't chosen a specific interface and you then get no physdev information at all!

However, if the bridge has learned the destination MAC address (as shown by `brctl showmacs br0`) then it can determine the correct interface, and you get physdev informatino again.

(There is also a third case: where the bridge comprises three interfaces that this seems to apply to , then it still can't establish a single interface to send the packet on just be excluding the source interface.)

So, the question is, how can I reliably match packets the go out over eth0 regardless?

Given the example I gave at the start, it is not enough to just match packets that will be routed out over multiple interfaces, one of which is eth0 (though that would be useful in other scenarios). I want to be able to treat the traffic for eth0 and eth1 differently, allowing the traffic to eth1, but not eth0.

Re: Iptables: Matching packets leaving a bridged interface

[Pascal Hambourg]

Hello,

Jamie Cockburn a écrit :
> 
> Given a setup with eth0 and eth1 in a bridge br0 and a third interface eth2.
> 
> In this scenario, lets say I want TCP port 80 traffic to be dropped if it is going to the network attached to eth0, but allow it to eth1.
> 
> I am therefore trying to reliably match packets that go out over the specific interface eth0.
> 
> If I add the following iptables rule in the filter table:
> 
>     -A FORWARD -o br0 --physdev-out eth0 -j LOG
> 
> Given a packet that originates from eth1 (the other half of the bridge), then the rule matches just fine, logging:
> 
>     ... IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 ...
> 
> However if the packet origniates from eth2, then the rule no longer matches.

Because the packet is not bridged, as eth2 is not part of the bridge. So
 it won't follow the FORWARD bridging path but the FORWARD IP routing path.

See the packet flow diagram in <http://en.wikipedia.org/wiki/Netfilter>.
According to it, the packet will enter the bridging OUTPUT path only
after the last iptables chain was traversed.

I'm afraid you only option to deal with that case is to use ebtables
filtering in the OUTPUT chain.

RE: Iptables: Matching packets leaving a bridged interface

[Jamie Cockburn]

Pascal!

Thanks for getting back to me.  Very helpful information!

Pascal Hambourg wrote:
> Because the packet is not bridged, as eth2 is not part of the bridge. So  it won't follow the FORWARD bridging path but the FORWARD IP routing path.
>
> See the packet flow diagram in <http://en.wikipedia.org/wiki/Netfilter>.

I think I follow... So based on the diagram, my packet is initially hitting "bridge check", heading along the green "network layer" path, hitting "routing decision", and dropping down into the blue "link layer" path.  Hence, until it gets to ebtables -> nat -> output, it's not gone anywhere near the bridging mechanism, so has never has PHYSOUT set.

Couple of follow-up question then!

1: Do you know if by the time it reaches ebtables -> filter -> output that the packet will have a PHYSOUT (or equivalent) set?

2: Will I be able to differentiate between packets for eth0 and eth1 (when the bridge doesn't know which specific interface it should send it on).

Now I need to complicate my original scenario...say I want to drop packets the originate from eth2 (the non-bridged interface) and will egress on eth0.

3: I'm guessing that by the time the packet hits ebtables -> filter -> output, that it will have lost its IN/PHYSIN?

4: If that is the case, would something like this work:
      - In iptables -> filter: -A FORWARD -i eth2 -o br0 -j MARK --set-mark 1234
      - In ebtable -> filter: -A OUTPUT -physdev-out eth0 --m mark --mark 1234 -j DROP

Jamie

-----Original Message-----
From: Pascal Hambourg [mailto:pascal@plouf.fr.eu.org] 
Sent: 25 June 2014 10:58
To: Jamie Cockburn
Cc: netfilter@vger.kernel.org
Subject: Re: Iptables: Matching packets leaving a bridged interface

Hello,

Jamie Cockburn a écrit :
> 
> Given a setup with eth0 and eth1 in a bridge br0 and a third interface eth2.
> 
> In this scenario, lets say I want TCP port 80 traffic to be dropped if it is going to the network attached to eth0, but allow it to eth1.
> 
> I am therefore trying to reliably match packets that go out over the specific interface eth0.
> 
> If I add the following iptables rule in the filter table:
> 
>     -A FORWARD -o br0 --physdev-out eth0 -j LOG
> 
> Given a packet that originates from eth1 (the other half of the bridge), then the rule matches just fine, logging:
> 
>     ... IN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 ...
> 
> However if the packet origniates from eth2, then the rule no longer matches.
Report this message as spam http://joey.alba.local/quarantine/notifications/reportspam/message/1813852/check/9da66caf713bf11249ee4bc6db23fa2f

Re: Iptables: Matching packets leaving a bridged interface

[Pascal Hambourg]

Jamie Cockburn a écrit :
> 
> Couple of follow-up question then!

All the answers (and much more) are in the ebtables manpage.

> 1: Do you know if by the time it reaches ebtables -> filter -> output that the packet will have a PHYSOUT (or equivalent) set?

Yes. See man ebtables, -o.

> 2: Will I be able to differentiate between packets for eth0 and eth1 (when the bridge doesn't know which specific interface it should send it on).

Yes. The bridge knows where it sends packets.

> 3: I'm guessing that by the time the packet hits ebtables -> filter -> output, that it will have lost its IN/PHYSIN?

Yes. See man ebtables, -i.

> 4: If that is the case, would something like this work:
>       - In iptables -> filter: -A FORWARD -i eth2 -o br0 -j MARK --set-mark 1234
>       - In ebtable -> filter: -A OUTPUT -physdev-out eth0 --m mark --mark 1234 -j DROP

Yes. See man ebtables, mark.

RE: Iptables: Matching packets leaving a bridged interface

[Jamie Cockburn]

Thanks for all your help, I think with your advice I can progress with this problem now.  

I've added the information you provided to the stackoverflow question in case anybody else meets with a similar problem in future:
http://stackoverflow.com/questions/24397358/iptables-matching-packets-leaving-a-bridged-interface