Transparent bridge firewall with iptables

[lintPI]

hi, I want to make a transparent bridge firewall with one USB Ethernet adapter and use the standard iptables to set up custom rules.

my bridge config:
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 up

the bridge works well,but i can't use iptables forward chain to drop the packet, it can't filter.
I do the same things on ubuntu PC, it works well.
Its very strange. However, what is the difference? I use raspbian jessie on my PI.

Thanks

[cacti]

Just did a simular setup and saw that no packets flow through the forward chain on the raspberry pi. The same setup works in Redhat. I suspect it has something to do with the kernel. I'll investigate later.

[pksato]

Hi,
A long time ago, I implement similar bridge function (not on rpi), information below can be outdated.
Enable ip forward
echo "1" > /proc/sys/net/ipv4/ip_forward (or use sysctl)
iptables need to address physical interface, like on this examples.
iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j DROP
iptables -I FORWARD -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -p tcp --dport 80 -j ACCEPT

Other way to control bridge flow is using ebtables.
Ebtables site have this note:
Since Linux kernel 3.18-rc1, you have to modprobe br_netfilter to enable bridge-netfilter.

[apraetor]

I'm seeing the same issue: my Pi 3 with Raspbian Jessie fails to apply iptables FORWARD rules to traffic being bridged -- until I do:

Code: Select all

 iptables -A FORWARD -p tcp --dport 80 -m physdev --physdev-is-bridged -j ACCEPT

Once I have applied a rule which loads the physdev module even rules applied to specific IPs on the bridge function correctly.

[MarkHaysHarris777]

In order to forward traffic you need the following:

Code: Select all

sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

The first line sets up the ipv4 forwarding, the second line sets up NAT; both are required.

[apraetor]

In order to forward traffic you need the following:

Code: Select all

sudo sysctl -w net.ipv4.ip_forward=1

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

The first line sets up the ipv4 forwarding, the second line sets up NAT; both are required.

Without NAT it is forwarding traffic across the bridge, though. The issue I am having is that iptables rules aren't being processed at all -- all traffic from eth0 passes out eth1 and vice versa (the two slaves in br0). The machines on each side of the Pi should be on the same logical network; my goal is to allow traffic on only a couple of ports to machines behind the Pi.

Edit: I've got it up and working using the physdev module.

[mfa298]

I think you want ebtables rather than iptables.

Iptables (and nat, and net.ipv4.ip_forward=1) are all Layer 3 (routing) functions. A bridge setup is at layer 2 (switching).

There are diagrams (such as http://inai.de/images/nf-packet-flow.png) which may help (or may confuse if you don't understand the difference between different layers in networking).