Hi Everyone,

Can someone please help me with what rules I need to use to only allow traffic between 2 interfaces (which are part of a linux bridge) using ebtables?

So let's say I have if0, if1, if2. I want if1 to communicate with if0. I also want if2 to be able to communicate with if0. But I don't want if1 and if2 to communicate with each other.

Thanks

Take a look on "man iptables"
You can find there:
physdev
This module matches on the bridge port input and output devices enslaved to a bridge
device. This module is a part of the infrastructure that enables a transparent bridging IP
firewall and is only useful for kernel versions above version 2.5.44.

[!] --physdev-in name
Name of a bridge port via which a packet is received (only for packets entering the
INPUT, FORWARD and PREROUTING chains). If the interface name ends in a "+", then
any interface which begins with this name will match. If the packet didn't arrive
through a bridge device, this packet won't match this option, unless '!' is used.

[!] --physdev-out name
Name of a bridge port via which a packet is going to be sent (for packets entering
the FORWARD, OUTPUT and POSTROUTING chains). If the interface name ends in a "+",
then any interface which begins with this name will match. Note that in the nat and
mangle OUTPUT chains one cannot match on the bridge output port, however one can in
the filter OUTPUT chain. If the packet won't leave by a bridge device or if it is
yet unknown what the output device will be, then the packet won't match this
option, unless '!' is used.

[!] --physdev-is-in
Matches if the packet has entered through a bridge interface.

[!] --physdev-is-out
Matches if the packet will leave through a bridge interface.

[!] --physdev-is-bridged
Matches if the packet is being bridged and therefore is not being routed. This is
only useful in the FORWARD and POSTROUTING chains.

There is also this section taken from the ebtables manual