Iptables - Bridge and Forward chain

Question

I have setup ethernet bridge br0 that contains two interfaces eth0 and tap0

brctl addbr br0
brctl addif eth0
brctl addif tap0
ifconfig eth0 0.0.0.0 promisc up
ifconfig tap0 0.0.0.0 promisc up
ifconfig br0 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255

My default FORWARD chain policy is DROP

iptables -P FORWARD DROP

When i do not add following rule the traffic is not passing through bridge.

iptables -A FORWARD -p all -i br0 -j ACCEPT

As far as I understand iptables is only responsible for IP layer.

ebtables should be responsible for filtering traffic on the ethernet bridge.

So why do I have to add ACCEPT rule in iptable's FORWARD chain?

score 15 · Accepted Answer · answered Jul 20 '10 at 21:10

15

Because of the br-nf code that is available as a patch to linux 2.4 and used in linux 2.6:

The br-nf code makes bridged IP frames/packets go through the iptables chains. Ebtables filters on the Ethernet layer, while iptables only filters IP packets.

Since the traffic you are working is ip, iptables rules still apply because of br-nf passing the bridged packets to iptables.

This is a great resource to read about the interaction and this one details the functionality of br-nf code, including how to disable all or some of the functionalities (i.e. not passing bridge traffic to iptables).

answered Jul 20 '10 at 21:10

coredump

12,713
2
36
56

The functionality is not working on 4.4.0-22-generic (ubuntu 16.04), even after I did `echo "1" > /sys/devices/virtual/net/br0/bridge/nf_call_arptables`. Any ideas? – Arie Skliarouk Jun 15 '17 at 12:10
2

Answering myself: # Load br_netfilter modprobe br_netfilter # Add to BROUTING chain rule to forward all ipv4 packets to iptables ebtables -t broute -A BROUTING -p ipv4 -i br0 -j DROP – Arie Skliarouk Jun 15 '17 at 13:44

score 13 · Answer 2 · answered Dec 06 '12 at 10:45

13

You can disable this behaviour (letting iptables handling bridged packets) by typing:

echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables

(see http://ebtables.sourceforge.net/documentation/bridge-nf.html)

answered Dec 06 '12 at 10:45

Arnout

331
4
4

3

Also, /proc/sys/net/bridge/bridge-nf-call-ip6tables – MV. Mar 10 '14 at 16:36

score 7 · Answer 3 · answered Jan 24 '19 at 09:03

If you do not have the need to use iptables with the bridge on your system you can permanently disable it by using either of the following:

Adding an iptables rule:

iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

Or editing /etc/sysctl.conf:

net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0

score 0 · Answer 4 · answered Jul 20 '10 at 21:25

0

The ebtables chains won't see frames entering on a non-forwarding bridge port. Might take a look at this: http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

answered Jul 20 '10 at 21:25

Andy Simmons

41
2

Iptables - Bridge and Forward chain

4 Answers4

Linked