IPTables interface switch (-i ethx) problem w/ bridge-Firewall
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I've been using Slackware Linux for Bridge-Firewalls for a long time with the 2.4.xx family and Netfilter up to date.
My problem began when I started using 2.6.xx. Now I'm using 2.6.24, with netfilter POM-ng patches enabled and iptables 1.4.0. Everything works just fine as usual except that my iptables ruleset that includes physical interfaces are not working anymore. I mean, rules like:
0 0 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
If I don't use the interface switch (-i eth0) or just put the logical bridge interface br0, it works just fine. But if I try to use -i eth0 or -i eth1, etc, the rule just never match, even on the filter INPUT chain.
Am I missing something? I re-read the Bridge-Firewalling HOWTO and many other documents, but didn't find anything related to this issue. Should I forget iptables in a bridge-firewall for this porpouse and just begin using ebtables instead?
Thank you all very much and sorry if I didn't put enought information about my problem here. If so, please, just ask me!
Once you have bridged devices, the packets are marked as associated with that bridge when they hit iptables. You cannot tell which interface they came from. Only at a lower level (eg. ebtables) can you handle that.
Thanks very much for your fast reply, Matir. But the fact is that with 2.4.xx Kernel, it works perfectly. That's why I'm confused. I still have several 2.4.xx Bridge Firewalls and the ruleset with the -i switch works 100%. Just with the 2.6.xx kernel, it stopped.
Thanks again!
Quote:
Originally Posted by Matir
Once you have bridged devices, the packets are marked as associated with that bridge when they hit iptables. You cannot tell which interface they came from. Only at a lower level (eg. ebtables) can you handle that.
I just found the answer to my question. Reading a lot of new documentation about bridging I saw that the 2.6.x kernel with the newest netfilter code has a new feature for physical interfaces called "physdev". I have to use it instead of the -i iptables switch.
The Physdev packet matching matches against the physical bridge ports the IP packet arrived on or will leave by. Example:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
