[Gllug] Iptables with bridge
Peter Joanes
pjoanes at hotmail.com
Tue Jun 21 22:10:45 UTC 2005
On Tuesday 21 June 2005 20:09, Chris Bell wrote:
> I can ping the box from any external box with ip address nn.nn.nn.nn if
> the INPUT policy is DROP as long as I include the rule
> ...
> # iptables -A INPUT -i br0 -s nn.nn.nn.nn -j ACCEPT
> but not if I specify a restriction on the ethernet interface as in
> # iptables -A INPUT -i eth0 -s nn.nn.nn.nn -j ACCEPT
This is because the network interface that the incoming packets 'enter' is br0
because that is the interface that has the address assigned to it.
The bridging operates at a different level from that of IP addresses, so the
individual ethernet interfaces aren't relevant there (although recent kernels
can filter through traffic with iptables rules).
It's normal for the ethernet interfaces to be shown as 'UP', but they can't be
given IP addresses whilst part of the bridge. Here's how mine look:
# ip addr ls
1: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:81:28:c9:57 brd ff:ff:ff:ff:ff:ff
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:81:28:c7:b4 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:81:28:c7:b5 brd ff:ff:ff:ff:ff:ff
5: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:e0:81:28:c7:b4 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
- Pete.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list