Jump to content

Iptables And Bridge Interface - Filter Forwarded Traffic


Recommended Posts

I'm trying to set up my pineapple MK4 (running 2.7.0) to be able to filter certain tcp ports on a bridge interface. I am able to do this same thing on my laptop running 12.04 ubuntu between two interface cards, but I can't seem to get it to work on the MK4. I realize the below steps are not persistant on a reboot as this is only a POC I am trying to achieve.

The steps I take on the MK4:

- I edit /etc/sysctl.conf and reboot the MK4 (I read this in another forum and have tried it both ways (with '1' or '0' -default)

net.bride.bridge-nf-call-iptables=1

- I create a new bridge and add eth1

brctl addbr br0

ifconfig eth1 0.0.0.0 promisc up

brctl addif br0 eth1

- I delete the pineapple exsisitng bridge and add eth0 to the new bridge

ifconfig br-lan down

ifconfig eth0 down

brctl delbr br-lan

ifconfig eth0 0.0.0.0 promisc up

brctl addif br0 eth0

- I bring up the bridge

ifconfig br0 192.168.1.1 netmask 255.255.255.0 up

At this point traffic goes through the bridge between eth0 and eth1 (which is good) but I want to be able to filter the forwarding traffic via iptables.

- so I add this to the iptables

flush them

iptables -X

iptables -F

add filter

iptables -A FORWARD -p tcp --dport 80 -j DROP

but it still continues to forward port 80 (or any port I put in)

I have also tried

iptables -A FORWARD -j DROP

and it still continues to forward everything.

If I do this on INPUT or OUTPUT it does work as I expect it to. What am I missing? I understand that bridge is layer 2 while iptables are layer 3 but I have read that "bridge-nf-call" (I have no idea what I am talking about) takes care of this. Do I need to install additional iptables packages maybe?

Thanks in advance for any advice you may have.

magoo

Link to post
Share on other sites

I found some more information out.

Once I edit /etc/sysctl.conf

net.bridge.bridge-nf-call-iptables=1

and run

systctl -p

I noticed an error

sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

So after further reading, it appears even though bridge-nf would do what I need it to do, bridge netfilter support needs to be enabled in the kernel. So I will now be learning how to compile the openwrt kernel... <_<

Still seems strange to me that the INPUT and OUTPUT chains work...confusing

It seems that enabling bridge netfilter support in the kernel has created some performance issues and so it has been disabled by default.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...