I am using a linux bridge for monitoring some traffic on two vlans. I created two bridges br30 et br40 for each. My problem is that the TCP traffic make it through but not the UDP one. I thought of iptables, so i added a long list of rules for each virtual interface (say ethx.30 ...) and for the bridge interfaces br30, br40. ebtables is not installed. I have no idea how to deal with this. Thanks.
Asked
Active
Viewed 2,022 times
2 Answers
1
By default bridged packets are filtered according to netfilter rules (iptables, ip6tables, arptables). Yes, this is a layering violation (L3 filters are applied to packets supposed to be processed only at L2), but this is just how the bridge subsystem behaves for a very long time.
If you do not intend to perform filtering of bridged packets (or if you prefer using just ebtables for this), you can turn off bridge-nf, so that netfilter rules will not be applied to bridged packets (of course, they still be applied if the bridge code decides that the packet should be handled by the host at L3):
/sbin/sysctl -w net.bridge.bridge-nf-call-ip6tables=0
/sbin/sysctl -w net.bridge.bridge-nf-call-iptables=0
/sbin/sysctl -w net.bridge.bridge-nf-call-arptables=0
These command must be executed after the bridge module is loaded.
On some disttributions you can put the desired values of sysctl variables into /etc/sysctl.conf, so that these values will be applied during boot:
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
Due to the requirement of loading the bridge module before setting these variables, you may need to edit additional distribution-specific files to force early loading of this module.
Sergey Vlasov
- 6,288
- 1
- 21
- 30
0
go check your iptables rules, it is common that you set only forward rules. following the below steps.
Assume A is on Vlan1 and B is on Vlan2
Does the traffic reach the linux box if it is going from A to B ?
Does the traffic reach the linux box if it is going from B to A ?
Did the traffic blocked by the incoming rules of the iptables ?
Did the traffic rewrite correctly by the NAT rules of the iptables ?
What will be the packets look like when it is from A to B and finally arrive B? Will B think is coming from the Linux, or from A ?
If B want to send back a packet, if is sent to A? or the Linux, if it goes Linux, how it determine where it goes? (since it does not contain the final destination), if it goes to A, it won't goes through the Linux since how it knows it should go to the Linux Box ?
after all the mess, you should found that life would be much easier that to set the linux box as a router, rather than using ip tables, but still, it would reach your need probably.
And it is common that video UDP cannot goes though a gateway or such to reach some private subnet, since there is no way internet video servers to deliver the packets by UDP to the machine behind the router, if it use the public IP, it will only reach the router, but it won't know which one to use, or, at most your could make 1 machine get all the traffic. If it use private IP, then it will not even reach your routers.
The best solution we have at this moment is to setup a Wowza video re-streamer or something a like. Which actually pretended to be the target video server on the internet. for which at least you can get the video shown such as you tube and etc.
But for games to play on UDP ports, you probably need an VPN solutions.