Packet flow in a virtual bridge with two interfaces, centos 7
Clash Royale CLAN TAG#URR8PPP
I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.
My bridge config
# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=0.0.0.0
PREFIX=24
IPV6_AUTOCONF=no
IPV6INIT=no
ONBOOT=yes
DELAY=0`
OUTWARDS interface
# cat ifcfg-p1p
DEVICE=p1p1
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
BRIDGE=br0
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
INWARDS interface
# cat ifcfg-p1p2
DEVICE=p1p2
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.
I am stuck and any help is appreciated.
PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.
centos iptables firewall bridge
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
add a comment |
I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.
My bridge config
# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=0.0.0.0
PREFIX=24
IPV6_AUTOCONF=no
IPV6INIT=no
ONBOOT=yes
DELAY=0`
OUTWARDS interface
# cat ifcfg-p1p
DEVICE=p1p1
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
BRIDGE=br0
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
INWARDS interface
# cat ifcfg-p1p2
DEVICE=p1p2
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.
I am stuck and any help is appreciated.
PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.
centos iptables firewall bridge
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
add a comment |
I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.
My bridge config
# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=0.0.0.0
PREFIX=24
IPV6_AUTOCONF=no
IPV6INIT=no
ONBOOT=yes
DELAY=0`
OUTWARDS interface
# cat ifcfg-p1p
DEVICE=p1p1
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
BRIDGE=br0
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
INWARDS interface
# cat ifcfg-p1p2
DEVICE=p1p2
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.
I am stuck and any help is appreciated.
PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.
centos iptables firewall bridge
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.
My bridge config
# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=0.0.0.0
PREFIX=24
IPV6_AUTOCONF=no
IPV6INIT=no
ONBOOT=yes
DELAY=0`
OUTWARDS interface
# cat ifcfg-p1p
DEVICE=p1p1
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
BRIDGE=br0
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
INWARDS interface
# cat ifcfg-p1p2
DEVICE=p1p2
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`
Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.
I am stuck and any help is appreciated.
PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.
centos iptables firewall bridge
centos iptables firewall bridge
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
edited Apr 21 '16 at 12:47
Jeff Schaller♦
44.4k1162143
44.4k1162143
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
asked Apr 21 '16 at 12:42
Amir AhmedAmir Ahmed
11
11
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.
A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.
The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).
There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
add a comment |
Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=0
I turned off arptables since I don't need it.
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
add a comment |
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f278100%2fpacket-flow-in-a-virtual-bridge-with-two-interfaces-centos-7%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.
A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.
The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).
There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
add a comment |
You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.
A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.
The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).
There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
add a comment |
You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.
A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.
The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).
There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.
A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.
The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).
There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
answered Apr 21 '16 at 14:21
vk5tuvk5tu
89478
89478
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
add a comment |
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.
– Amir Ahmed
Apr 25 '16 at 13:29
add a comment |
Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=0
I turned off arptables since I don't need it.
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
add a comment |
Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=0
I turned off arptables since I don't need it.
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
add a comment |
Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=0
I turned off arptables since I don't need it.
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-arptables=0
I turned off arptables since I don't need it.
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
answered Apr 26 '16 at 11:05
Amir AhmedAmir Ahmed
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f278100%2fpacket-flow-in-a-virtual-bridge-with-two-interfaces-centos-7%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
