HomeForumsLinux SupportNetworking

iptables, bridging and inside-/outside-issue

Feb 02, 2011  By azzid
 in

After reading through the article series by Mick Bauer regarding transparent firewalls I got a bit inspired to try for myself.

I've installed ubuntu onto a machine with 3 network interfaces, and bridged these three interfaces to one common bridge.

I've copied the iptables-script from part V in the series, but re-written it due to the fact that I in my installation will be unable to sort traffic based on ip.

I will not know which addresses will be used on either side of the firewall, so I'll have to sort my traffic on some other variable.

I was thinking that I could sort the traffic based on PHYSIN and PHYSOUT in iptables, but -i and -o does not seem to do that.

As an example I've created the following rule:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

But I still get the following in my kernel log:
floyd kernel: [269519.979985] Dropped by default (FORWARD): IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=10.0.0.113 DST=74.125.79.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31771 DF PROTO=TCP SPT=35727 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Which as far as I can figure should be allowed by the rule.

What can I do to sort the traffic based on the physical interface?

‹ Specific DHCP config ssh tunnel to http which redirects to https failure ›

Found it!

azzid's picture
Submitted by azzid on Wed, 02/02/2011 - 16:25.

iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -p tcp --dport 80 -j ACCEPT

Worked alot better! =D

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState