I have setup ethernet bridge br0
that contains two interfaces eth0
and tap0
brctl addbr br0
brctl addif eth0
brctl addif tap0
ifconfig eth0 0.0.0.0 promisc up
ifconfig tap0 0.0.0.0 promisc up
ifconfig br0 10.0.1.1 netmask 255.255.255.0 broadcast 10.0.1.255
My default FORWARD
chain policy is DROP
iptables -P FORWARD DROP
When i do not add following rule the traffic is not passing through bridge.
iptables -A FORWARD -p all -i br0 -j ACCEPT
As far as I understand iptables
is only responsible for IP layer.
ebtables
should be responsible for filtering traffic on the ethernet bridge.
So why do I have to add ACCEPT rule in iptable's FORWARD chain?
Best Answer
Because of the br-nf code that is available as a patch to linux 2.4 and used in linux 2.6:
Since the traffic you are working is ip,
iptables
rules still apply because of br-nf passing the bridged packets toiptables
.This is a great resource to read about the interaction and this one details the functionality of br-nf code, including how to disable all or some of the functionalities (i.e. not passing bridge traffic to iptables).