Packet flow in a virtual bridge with two interfaces, centos 7












0















I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.



My bridge config



# cat ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=0.0.0.0
PREFIX=24
IPV6_AUTOCONF=no
IPV6INIT=no
ONBOOT=yes
DELAY=0`


OUTWARDS interface



# cat ifcfg-p1p
DEVICE=p1p1
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
BRIDGE=br0
BOOTPROTO=none
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`


INWARDS interface



# cat ifcfg-p1p2
DEVICE=p1p2
TYPE=Ethernet
HWADDR=XX:XX:XX:XX:XX:XX
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
IPV6INIT=no
IPV6_AUTOCONF=no
IPADDR=0.0.0.0
PREFIX=24`


Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.



I am stuck and any help is appreciated.



PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.










share|improve this question
















bumped to the homepage by Community 2 hours ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.



    My bridge config



    # cat ifcfg-br0
    DEVICE=br0
    TYPE=Bridge
    BOOTPROTO=none
    IPADDR=0.0.0.0
    PREFIX=24
    IPV6_AUTOCONF=no
    IPV6INIT=no
    ONBOOT=yes
    DELAY=0`


    OUTWARDS interface



    # cat ifcfg-p1p
    DEVICE=p1p1
    TYPE=Ethernet
    HWADDR=XX:XX:XX:XX:XX:XX
    ONBOOT=yes
    BRIDGE=br0
    BOOTPROTO=none
    IPV6INIT=no
    IPV6_AUTOCONF=no
    IPADDR=0.0.0.0
    PREFIX=24`


    INWARDS interface



    # cat ifcfg-p1p2
    DEVICE=p1p2
    TYPE=Ethernet
    HWADDR=XX:XX:XX:XX:XX:XX
    BOOTPROTO=none
    ONBOOT=yes
    BRIDGE=br0
    IPV6INIT=no
    IPV6_AUTOCONF=no
    IPADDR=0.0.0.0
    PREFIX=24`


    Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.



    I am stuck and any help is appreciated.



    PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.










    share|improve this question
















    bumped to the homepage by Community 2 hours ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0








      I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.



      My bridge config



      # cat ifcfg-br0
      DEVICE=br0
      TYPE=Bridge
      BOOTPROTO=none
      IPADDR=0.0.0.0
      PREFIX=24
      IPV6_AUTOCONF=no
      IPV6INIT=no
      ONBOOT=yes
      DELAY=0`


      OUTWARDS interface



      # cat ifcfg-p1p
      DEVICE=p1p1
      TYPE=Ethernet
      HWADDR=XX:XX:XX:XX:XX:XX
      ONBOOT=yes
      BRIDGE=br0
      BOOTPROTO=none
      IPV6INIT=no
      IPV6_AUTOCONF=no
      IPADDR=0.0.0.0
      PREFIX=24`


      INWARDS interface



      # cat ifcfg-p1p2
      DEVICE=p1p2
      TYPE=Ethernet
      HWADDR=XX:XX:XX:XX:XX:XX
      BOOTPROTO=none
      ONBOOT=yes
      BRIDGE=br0
      IPV6INIT=no
      IPV6_AUTOCONF=no
      IPADDR=0.0.0.0
      PREFIX=24`


      Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.



      I am stuck and any help is appreciated.



      PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.










      share|improve this question
















      I am struggling to create a bridge firewall with iptables since I cannot find/catch packets flowing through a bridge with two interfaces in centos7. No ip addresses are configured on interfaces or the bridge. I cannot seem to find this traffic, checked PREROUTING INPUT FORWARD OUTPUT POSTROUTING chains. Although ifconfig counters shows that traffic is flowing through bridged interfaces but not the bridge(br0) itself.



      My bridge config



      # cat ifcfg-br0
      DEVICE=br0
      TYPE=Bridge
      BOOTPROTO=none
      IPADDR=0.0.0.0
      PREFIX=24
      IPV6_AUTOCONF=no
      IPV6INIT=no
      ONBOOT=yes
      DELAY=0`


      OUTWARDS interface



      # cat ifcfg-p1p
      DEVICE=p1p1
      TYPE=Ethernet
      HWADDR=XX:XX:XX:XX:XX:XX
      ONBOOT=yes
      BRIDGE=br0
      BOOTPROTO=none
      IPV6INIT=no
      IPV6_AUTOCONF=no
      IPADDR=0.0.0.0
      PREFIX=24`


      INWARDS interface



      # cat ifcfg-p1p2
      DEVICE=p1p2
      TYPE=Ethernet
      HWADDR=XX:XX:XX:XX:XX:XX
      BOOTPROTO=none
      ONBOOT=yes
      BRIDGE=br0
      IPV6INIT=no
      IPV6_AUTOCONF=no
      IPADDR=0.0.0.0
      PREFIX=24`


      Forwarding is disabled(no NAT), firewalld is disabled, ipv6 autoconf is disabled in sysctl.conf. Traffic is flowing perferctly from a machine inside p1p2 towards outside through p1p1.



      I am stuck and any help is appreciated.



      PS: This setup worked perfectly with debian 5 (2.6 kernel)but after an upgrade to debian 6 or 7 or 8, got kernel panic on interface drivers randomly. Tried both Intel card and Broadcom card with same result. A bug in brctl maybe? But anyways centos7 is running at least stable for two days.







      centos iptables firewall bridge






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Apr 21 '16 at 12:47









      Jeff Schaller

      42.9k1159137




      42.9k1159137










      asked Apr 21 '16 at 12:42









      Amir AhmedAmir Ahmed

      11




      11





      bumped to the homepage by Community 2 hours ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 2 hours ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          2 Answers
          2






          active

          oldest

          votes


















          0














          You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.



          A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.



          The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).



          There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).






          share|improve this answer
























          • No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

            – Amir Ahmed
            Apr 25 '16 at 13:29



















          0














          Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,



          net.bridge.bridge-nf-call-ip6tables=1
          net.bridge.bridge-nf-call-iptables=1
          net.bridge.bridge-nf-call-arptables=0


          I turned off arptables since I don't need it.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f278100%2fpacket-flow-in-a-virtual-bridge-with-two-interfaces-centos-7%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.



            A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.



            The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).



            There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).






            share|improve this answer
























            • No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

              – Amir Ahmed
              Apr 25 '16 at 13:29
















            0














            You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.



            A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.



            The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).



            There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).






            share|improve this answer
























            • No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

              – Amir Ahmed
              Apr 25 '16 at 13:29














            0












            0








            0







            You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.



            A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.



            The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).



            There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).






            share|improve this answer













            You have confused your networking layers. Handwavingly, iptables works for network-layer forwarded IP packets and not for link-layer forwarded ethernet frames, which is the type of forwarding done by a bridge.



            A bridge works by keeping a list of which MAC addresses are seen on which ports. So traffic can flow from p1p to p1p2 without doing any IP routing.



            The br0 interface is a pretend interface on the bridge. It's treated like any other interface. So non-broadcast traffic from a MAC via p1 to a MAC via p1p2 doesn't transit interface br0 (although it is obviously on bridge br0, and it's a real shame Linux uses the same name for both the pseudo-interface and for the bridge).



            There's a nice summary of what you are trying to do at the start of this Shorewall web pages. Basically you configure the bridge and make it work. Then set the IP forwarding sysctl (or iptables won't work at all). In your iptables rules you need to express your rules using the physdev iptables module (and of course you can list other modules after that).







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Apr 21 '16 at 14:21









            vk5tuvk5tu

            89478




            89478













            • No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

              – Amir Ahmed
              Apr 25 '16 at 13:29



















            • No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

              – Amir Ahmed
              Apr 25 '16 at 13:29

















            No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

            – Amir Ahmed
            Apr 25 '16 at 13:29





            No confusion here. My firewall script enables ipv4 forwarding (echo 1>/proc/...ip_forward and I use physical device in iptables. Still no luck. My setup worked perfectly in ubuntu 2.6 kernel.

            – Amir Ahmed
            Apr 25 '16 at 13:29













            0














            Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,



            net.bridge.bridge-nf-call-ip6tables=1
            net.bridge.bridge-nf-call-iptables=1
            net.bridge.bridge-nf-call-arptables=0


            I turned off arptables since I don't need it.






            share|improve this answer




























              0














              Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,



              net.bridge.bridge-nf-call-ip6tables=1
              net.bridge.bridge-nf-call-iptables=1
              net.bridge.bridge-nf-call-arptables=0


              I turned off arptables since I don't need it.






              share|improve this answer


























                0












                0








                0







                Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,



                net.bridge.bridge-nf-call-ip6tables=1
                net.bridge.bridge-nf-call-iptables=1
                net.bridge.bridge-nf-call-arptables=0


                I turned off arptables since I don't need it.






                share|improve this answer













                Got it now. Turning on Forwarding does not enable some kernel variables that are needed so I had to manually enable them. These are,



                net.bridge.bridge-nf-call-ip6tables=1
                net.bridge.bridge-nf-call-iptables=1
                net.bridge.bridge-nf-call-arptables=0


                I turned off arptables since I don't need it.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Apr 26 '16 at 11:05









                Amir AhmedAmir Ahmed

                11




                11






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f278100%2fpacket-flow-in-a-virtual-bridge-with-two-interfaces-centos-7%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    CARDNET

                    Boot-repair Failure: Unable to locate package grub-common:i386

                    濃尾地震