* "PHYSDEV match --physdev-is-bridged" problems
@ 2016-09-29 17:22 Thomas Stein
2016-09-30 9:08 ` Thomas Stein
0 siblings, 1 reply; 2+ messages in thread
From: Thomas Stein @ 2016-09-29 17:22 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 3612 bytes --]
Hi Netfilter.
I'm facing a problem with setting up an iptables ruleset on a machine
with a bridged interface.
hn2 ~ # brctl show
bridge name bridge id STP enabled interfaces
br0 8000.001e67d35bee no eth0
one-259-0
hn2 ~ #
What i'm trying to accomplish is firewall the interface one-259-0. But
no matter what i'm trying there is no traffic
filtered. It goes just plain through. The effect stays same with or
without:
hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-iptables
1
hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-arptables
1
hn2 ~ #
Here is the running ruleset. I hope someone can point me to the right
direction.
hn2 ~ # iptables -nvL
Chain INPUT (policy ACCEPT 1003 packets, 86232 bytes)
pkts bytes target prot opt in out source
destination
6792 390K ACCEPT tcp -- * * nice.ip.yeah.right
0.0.0.0/0 tcp dpts:5900:6999
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:5900:6999
Chain FORWARD (policy ACCEPT 435K packets, 472M bytes)
pkts bytes target prot opt in out source
destination
59 3323 opennebula all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-is-bridged
11975 685K LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 LOG flags 0 level 4
Chain OUTPUT (policy ACCEPT 877 packets, 141K bytes)
pkts bytes target prot opt in out source
destination
Chain one-259-0-i (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22
0 0 RETURN tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 443
58 2944 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain one-259-0-o (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 MAC ! 02:00:2E:04:94:D8
1 379 ACCEPT udp -- * * 0.0.0.0
255.255.255.255 udp spt:68 dpt:67
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ! match-set one-259-0-ip-spoofing src
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain opennebula (1 references)
pkts bytes target prot opt in out source
destination
1 379 one-259-0-o all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in one-259-0
--physdev-is-bridged
58 2944 one-259-0-i all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out one-259-0
--physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
hn2 ~ #
Just to sum that up. I just wanna traffic on port 22 and 443 passed to
the bridge member one-259-0. But at the moment i can connect to port 80
fine.
thanks and cheers
t.
[-- Attachment #2: 0xF5437AA0.asc --]
[-- Type: application/pgp-keys, Size: 5263 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: "PHYSDEV match --physdev-is-bridged" problems
2016-09-29 17:22 "PHYSDEV match --physdev-is-bridged" problems Thomas Stein
@ 2016-09-30 9:08 ` Thomas Stein
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Stein @ 2016-09-30 9:08 UTC (permalink / raw)
To: netfilter
Am 29.09.16 um 19:22 schrieb Thomas Stein:
> Hi Netfilter.
>
> I'm facing a problem with setting up an iptables ruleset on a machine
> with a bridged interface.
The problem seems to be the output chain. There is no traffic going through this chain.
Chain one-261-0-i (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
26 1040 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
1 40 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443
681 45938 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain one-261-0-o (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 MAC ! 02:00:2E:04:94:D8
0 0 ACCEPT udp -- * * 0.0.0.0 255.255.255.255 udp spt:68 dpt:67
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ! match-set one-261-0-ip-spoofing src
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain opennebula (1 references)
pkts bytes target prot opt in out source destination
0 0 one-261-0-o all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in one-261-0 --physdev-is-bridged
708 47018 one-261-0-i all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out one-261-0 --physdev-is-bridged
256 11248 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
I have to admit my knowledge regarding this is very limited. Someone has an idea to debug this further?
thanks and cheers
t.
> hn2 ~ # brctl show
> bridge name bridge id STP enabled interfaces
> br0 8000.001e67d35bee no eth0
> one-259-0
> hn2 ~ #
>
> What i'm trying to accomplish is firewall the interface one-259-0. But
> no matter what i'm trying there is no traffic
> filtered. It goes just plain through. The effect stays same with or
> without:
>
> hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-iptables
> 1
> hn2 ~ # cat /proc/sys/net/bridge/bridge-nf-call-arptables
> 1
> hn2 ~ #
>
> Here is the running ruleset. I hope someone can point me to the right
> direction.
>
> hn2 ~ # iptables -nvL
> Chain INPUT (policy ACCEPT 1003 packets, 86232 bytes)
> pkts bytes target prot opt in out source
> destination
> 6792 390K ACCEPT tcp -- * * nice.ip.yeah.right
> 0.0.0.0/0 tcp dpts:5900:6999
> 0 0 DROP tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpts:5900:6999
>
> Chain FORWARD (policy ACCEPT 435K packets, 472M bytes)
> pkts bytes target prot opt in out source
> destination
> 59 3323 opennebula all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-is-bridged
> 11975 685K LOG tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 LOG flags 0 level 4
>
> Chain OUTPUT (policy ACCEPT 877 packets, 141K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain one-259-0-i (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 RETURN tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 multiport dports 22
> 0 0 RETURN tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 multiport dports 443
> 58 2944 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain one-259-0-o (1 references)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 MAC ! 02:00:2E:04:94:D8
> 1 379 ACCEPT udp -- * * 0.0.0.0
> 255.255.255.255 udp spt:68 dpt:67
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0 ! match-set one-259-0-ip-spoofing src
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state RELATED,ESTABLISHED
> 0 0 RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 DROP all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain opennebula (1 references)
> pkts bytes target prot opt in out source
> destination
> 1 379 one-259-0-o all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-in one-259-0
> --physdev-is-bridged
> 58 2944 one-259-0-i all -- * * 0.0.0.0/0
> 0.0.0.0/0 PHYSDEV match --physdev-out one-259-0
> --physdev-is-bridged
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0
> hn2 ~ #
>
> Just to sum that up. I just wanna traffic on port 22 and 443 passed to
> the bridge member one-259-0. But at the moment i can connect to port 80
> fine.
>
> thanks and cheers
> t.
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-09-30 9:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-29 17:22 "PHYSDEV match --physdev-is-bridged" problems Thomas Stein
2016-09-30 9:08 ` Thomas Stein
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.