iptables, bridging and inside-/outside-issue

After reading through the article series by Mick Bauer regarding transparent firewalls I got a bit inspired to try for myself.

I've installed ubuntu onto a machine with 3 network interfaces, and bridged these three interfaces to one common bridge.

I've copied the iptables-script from part V in the series, but re-written it due to the fact that I in my installation will be unable to sort traffic based on ip.

I will not know which addresses will be used on either side of the firewall, so I'll have to sort my traffic on some other variable.

I was thinking that I could sort the traffic based on PHYSIN and PHYSOUT in iptables, but -i and -o does not seem to do that.

As an example I've created the following rule:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT

But I still get the following in my kernel log:
floyd kernel: [269519.979985] Dropped by default (FORWARD): IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=10.0.0.113 DST=74.125.79.102 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=31771 DF PROTO=TCP SPT=35727 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Which as far as I can figure should be allowed by the rule.

What can I do to sort the traffic based on the physical interface?

Found it!

azzid's picture

iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -p tcp --dport 80 -j ACCEPT

Worked alot better! =D

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState