iptables on bridged interface

Our iptables not working correctly on bridge interface

we have 2 nic named eth 0 and eth 1

netfilter enabled on the interface :


[root@24 ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

Open in new window


and 185.9.156.2 & 178.20.225.235 must be blocked and dropped on the iptables , but their traffic pass to the destination server
[root@24 ~]# iptables -vL
Chain INPUT (policy ACCEPT 23375 packets, 1769K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 50302 packets, 6657K bytes)
 pkts bytes target     prot opt in     out     source               destination
 2026  154K firewall   icmp --  any    any     anywhere             13.156.9.185.salay.com.tr
    3   120 firewall   tcp  --  any    any     anywhere             13.156.9.185.salay.com.tr tcp flags:FIN,SYN,RST,ACK/SYN
 1354 59434 firewall   udp  --  any    any     anywhere             13.156.9.185.salay.com.tr
 1350  113K DROP       all  --  any    any     2.156.9.185.salay.com.tr  anywhere

Chain OUTPUT (policy ACCEPT 134 packets, 20840 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain firewall (3 references)
 pkts bytes target     prot opt in     out     source               destination
 3383  214K LOG        all  --  any    any     anywhere             anywhere            LOG level info prefix `Firewall:'
    0     0 DROP       all  --  any    any     178.20.225.235.salay.com.tr  anywhere

Open in new window

FireBallITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

savoneCommented:
You have not received an answer because your question is unclear.  

Please try to explain again, with as much detail as possible.  If you are unsure of the technical terms, try explaining what you are trying to do.
0
Steve BinkCommented:
Based on your description, I'm understanding that you want to make sure traffic originating  at 2.156.9.185.salay.com.tr or 178.20.225.235.salay.com.tr is not routed through this device.  Can you post the raw rules?  (iptables -S)

The biggest thing I see here is that you have used DNS names for matching.  AFAIK, you need the IP addresses.  Try changing the rule to reflect the actual IP.

Also, note that as your rules are written, all traffic from 2.156.9.185.salay.com.tr will be dropped.  However, traffic originating at 178.20.225.235.salay.com.tr will only be dropped if it is destined for 13.156.9.185.salay.com.tr.  Is that intentional?
0
nociSoftware EngineerCommented:
The dnsnames are from using: iptables -vL, that should have been either iptables -S or iptables  -nvL
the DNS names might obfusciate the right ip addresses. so please update the output.

Then what you want to describe doesn't fit the rules...
The correct term for what you do is build a transparent firewall using netfilter bridging.
On recent kernels you also need modprobe br_netfilter to actually load the netfilter stuff.

the rules for you description should have been:
# disallow traffic from devices
iptables -I FORWARD -s 185.9.156.2 -j DROP
iptables -I FORWARD -s 178.20.225.235 -j DROP
# disallow any traffic to devices.
iptables -I FORWARD -d 185.9.156.2 -j DROP
iptables -I FORWARD -d 178.20.225.235 -j DROP

also drop the line allowing ipv6 if you don't plan on ipv6 yet.
net.bridge.bridge-nf-call-ip6tables = 1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
last line solved thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.