You are not logged in.
I've successfully set up a bridge on my host server and connected a QEMU guest to it and everything works. The guest has access to the local network.
But iptables on the host doesn't see any traffic going through the FORWARD chain. If I've understood correctly, all traffic to/from a guest should go through the FORWARD chain.
What do I need to do so the host can block traffic to the guest?
Any solutions or reading suggestions for me to learn more about the issue would be greatly appreciated. I've already plowed through the arch wiki to no avail but maybe I've missed something.
I've read that net.bridge.bridge-nf-call-iptables must be set to 1, but it doesn't seem to exist:
$ sysctl -a -r bridge
$ sysctl net.bridge.bridge-nf-call-iptables
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
$ ll /proc/sys/net/
total 0
dr-xr-xr-x 1 root root 0 2016-02-24 14:12 core/
dr-xr-xr-x 1 root root 0 2016-02-24 14:12 ipv4/
dr-xr-xr-x 1 root root 0 2016-02-24 14:12 ipv6/
dr-xr-xr-x 1 root root 0 2016-02-24 14:15 netfilter/
dr-xr-xr-x 1 root root 0 2016-02-24 14:12 unix/
-rw-r--r-- 1 root root 0 2016-02-24 14:15 nf_conntrack_maxMy configuration:
$ cat /etc/netctl/brlan
Description="LAN Bridge with DHCP"
Interface=brlan
Connection=bridge
BindsToInterfaces=(enp3s0f1)
IP=dhcp
ExecUpPost="ip addr add 192.168.2.20/22 dev brlan label brlan.static"
ExecDownPre="ip addr del 192.168.2.20/22 dev brlan label brlan.static"
## Ignore (R)STP and immediately activate the bridge
SkipForwardingDelay=yes$ iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
31450 2126K ACCEPT all -- brlan * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 30701 packets, 101M bytes)
pkts bytes target prot opt in out source destination qemu-system-x86_64 -enable-kvm -vga std -net nic,model=virtio,macaddr=52:54:00:13:37:01 -net bridge,br=brlan -m 2G -drive file=qemu/images/vps-test01.img,format=raw,index=0,media=disk,if=virtio -boot order=cLast edited by Svinto (2016-02-25 07:12:10)
Offline
I've read that net.bridge.bridge-nf-call-iptables must be set to 1, but it doesn't seem to exist:
This was moved [1] to the br_netfilter module which is not auto-loaded.
Offline
This was moved [1] to the br_netfilter module which is not auto-loaded.
SOLVED! Thank you so much!
After a
modprobe br_netfilterall the net.bridge.bridge-nf-* showed up. And all traffic to my guest now gets blocked due to to the DROP policy in the FORWARD chain in iptables.
Chain FORWARD (policy DROP 49 packets, 10748 bytes)
pkts bytes target prot opt in out source destination$ sysctl -a -r bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-filter-pppoe-tagged = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-pass-vlan-input-dev = 0edit: If anyone else gets this problem it can be permanently resolved by adding the module to load at boot:
$ echo br_netfilter > /etc/modules-load.d/br_netfilter.confLast edited by Svinto (2016-02-25 08:22:03)
Offline