0

I am trying to block DNS requests using an Ubuntu machine. I have created a bridge and the packets are being forwarded as expected. Only when I add iptables rules, it is not taken in account. I tried with no rules, simply setting the policy of each table to DROP and even this doesn't work : the packets are still transmitted without interruption. I should precise that I'm working in an ISP context so, network-wise, the bridge is situated on the WAN side, between the CPE and a telindus. Thanks for the help.

Version of iptables : 1.4.21

# iptables -L -n -v

0 packets in forward and input, 16 in output (Rather synthetic as I'm on my phone)

All policies are in DROP mode.

/proc/sys/net/bridge/bridge-nf-call-iptables = 1

The configuration of the bridge is rather simple :

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up
Doezer
  • 126
  • 1
  • 7
  • At least [edit] this question to show us the non-working rule. We have no hope of helping you fix your problems if you don't show us what isn't working for you. – user Jul 06 '16 at 14:45
  • I didn't explicitly said it but as of now there is no rule, I simply set all policies on DROP, which had no effect. So this is a rather simple configuration in the end – Doezer Jul 06 '16 at 14:47
  • In what OSI layer iptables works? In what layer bridge works? – Michal Sokolowski Jul 06 '16 at 14:51
  • I don't see how this is relevant? Isn't iptables supposed to process bridges packets? My previous searches has shown me that the br-nf code makes it that way : http://serverfault.com/a/162384/364071 – Doezer Jul 06 '16 at 14:59
  • Maybe the bridge does not pipe the traffic through iptables? What does > cat /proc/sys/net/bridge/bridge-nf-call-iptables say? – cz8s Jul 06 '16 at 15:40
  • I checked it before and it was at 1 – Doezer Jul 06 '16 at 15:50
  • What are the exact interfaces between which you want to filter traffic? – Tero Kilkanen Jul 06 '16 at 18:46
  • @TeroKilkanen: eth0 and eth1, but the filtering has to be transparent. – Doezer Jul 06 '16 at 19:23
  • Alright so, after some more research, I'll have to check those when I'm at my job: `bridge-nf-filter-vlan-tagged` `bridge-nf-filter-pppoe-tagged` As I am exactly in both those cases (802.1Q encapsulated into PPPoE) – Doezer Jul 06 '16 at 19:46

2 Answers2

0

Would be useful to share with us iptables -L -n -v

In order to drop a traffic on bridged interface, just use: 

iptables -A FORWARD -p tcp --dport 53 -j DROP
iptables -A FORWARD -p udp --dport 53 -j DROP

Feel free to use

tcpdump -i any -n port 53

to see wheras the traffic really goes through the server.

You can also use:

iptables -A FORWARD -j LOG --log-prefix "IPTables: " --log-level 4

to log the traffic that passes through iptables.

Yarik Dot
  • 1,583
  • 12
  • 26
  • Yes, sorry, I'm on a phone so I can't paste info. I already see the traffic using Wireshark and I know it's passing through. – Doezer Jul 06 '16 at 15:00
  • At first I used the udp line you wrote, and as it didn't do a thing, I just set every policy to DROP to be sure. Hence the topic. – Doezer Jul 06 '16 at 15:03
  • If you have DROP policy on FORWARD chain and traffic still passes through, then you have something strange in your network. – Yarik Dot Jul 06 '16 at 16:02
  • The strangest is that the packets passing through a wifi interface I have on the machine are showing into the tables, so it's probably not a problem related to iptables. – Doezer Jul 06 '16 at 16:07
0

I'm answering my own question : the problem was coming from the following parameters :

/proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged
/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged

I set them to 1 and it allowed the subsequent frames/packets to be forwarded into iptables FORWARD table. Thank you for you help.

Doezer
  • 126
  • 1
  • 7