ebtables/iptables/bridge-utils: PREROUTING/FORWARD issue on single-NIC bridgeHow to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?iptables port forward forwardingiptables nat: Handle OUTPUT chain via PREROUTING chain / forward from OUTPUT to PREROUTINGForward http traffic to another ip address with iptablesIptables stringHow to configure port-forwarding to enable internal service accessed by another machine?Config differents external proxy to every VM with iptablesiptables port forwarding to server with different portBlock linux bridge traffic (only one way) using iptables or ebtablesport forwarding to backend server
Can any NP-Complete Problem be solved using at most polynomial space (but while using exponential time?)
How do I professionally let my manager know I'll quit over smoking in the office?
Really Old Stock Valuation
Do I have to explain the mechanical superiority of the player-character within the fiction of the game?
What happens to Cessna electric flaps that are moving when power is lost?
Drawing people along with x and y axis
Can you find x?
How can I politely work my way around not liking coffee or beer when it comes to professional networking?
Trainee keeps missing deadlines for independent learning
Can someone suggest a path to study Mordell-Weil theorem for someone studying on their own?
Old sci-fi story: radiation mutated the animals, a boy loses a limb, but it's okay because "humans used to do great with only two arms"
How much will studying magic in an academy cost?
What was the Shuttle Carrier Aircraft escape tunnel?
What is "industrial ethernet"?
How many people are necessary to maintain modern civilisation?
Why does Linux list NVMe drives as /dev/nvme0 instead of /dev/sda?
JSON selector class in Python
How do I set an alias to a terminal line?
How large would a mega structure have to be to host 1 billion people indefinitely?
If I wouldn't want to read the story, is writing it still a good idea?
What's currently blocking the construction of the wall between Mexico and the US?
What does "play with your toy’s toys" mean?
What is the legal status of travelling with methadone in your carry-on?
Minimum distance between holes in inner tube
ebtables/iptables/bridge-utils: PREROUTING/FORWARD issue on single-NIC bridge
How to configure traffic from a specific IP hardcoded to an IP to forward to another IP:PORT using iptables?iptables port forward forwardingiptables nat: Handle OUTPUT chain via PREROUTING chain / forward from OUTPUT to PREROUTINGForward http traffic to another ip address with iptablesIptables stringHow to configure port-forwarding to enable internal service accessed by another machine?Config differents external proxy to every VM with iptablesiptables port forwarding to server with different portBlock linux bridge traffic (only one way) using iptables or ebtablesport forwarding to backend server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
We have a number of iptables rules for forwarding connections, which are solid and work well.
For example, port 80 forwards to port 8080 on the same machine (the webserver). When a given webserver is restarting, we forward requests to another IP on port 8080 which displays a Maintenance Page. In most cases, this other IP is on a separate server.
This all worked perfectly until we installed bridge-utils and changed to using a bridge br0 instead of eth0 as the interface.
The reason we have converted to using a bridge interface is to gain access to the MAC SNAT/DNAT capabilities of ebtables. We have no other reason to add a bridge interface on the servers, as they don't actually bridge connections over multiple interfaces.
I know this is a strange reason to add a bridge on the servers, but we are using the MAC SNAT/DNAT capabilities in a new project and ebtables seemed to be the safest, fastest and easiest way to go since we are already so familiar with iptables.
The problem is, since converting to a br0 interface, iptables PREROUTING forwarding to external servers is no longer working.
Internal PREROUTING forwarding works fine (eg: request comes in on port 80, it forwards to port 8080).
The OUTPUT chain also works (eg: we can connect outwards from the box via a local destination IP:8080, and the OUTPUT chain maps it to the Maintenance Server IP on a different server, port 8080, and returns a webpage).
However, any traffic coming into the box seems to die after the PREROUTING rule if the destination IP is external.
Here is an example of our setup:
Old Setup:
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
New Setup: (old setup in various formats tried as well..., trying to log eth0 and br0 packets)
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface br0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface br0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Before changing to br0, the client request would go to server A at port 9080, and then be MASQUERADED off to a different server $MAINTIP.
As explained above, this works fine if $MAINTIP is on the same machine, but if it's on another server, the packet is never sent to $MAINTIP under the new br0 setup.
We want the packets to go out the same interface they came in on, MASQUERADED, as they did before we switched to using a single-NIC bridge (br0/bridge-utils).
I've tried adding logging at all stages in iptables. For some reason the iptables TRACE target doesn't work on this setup, so I can't get a TRACE log, but the packet shows up in the PREROUTING table, but seem to be silently dropped after that.
I've gone through this excellent document and have a better understanding of the flow between iptables and ebtables:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
From my understanding, it seems that the bridge is not forwarding the packets out the same interface they came in, and is dropping them. If we had a second interface added, I imagine it would be forwarding them out on that interface (the other side of the bridge) - which is the way bridges are meant to work ;-)
Is it possible to make this work the way we want it to, and PREROUTE/FORWARD those packets out over the same interface they came in on like we used to?
I'm hoping there are some ebtables rules which can work in conjunction with the iptables PREROUTING/FORWARD/POSTROUTING rules to make iptables forwarding work the way it usually does, and to send the routed packets out br0 (eth0) instead of dropping them.
Comments, flames, any and all advice welcome!
Best Regards,
Neale
iptables
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
add a comment |
We have a number of iptables rules for forwarding connections, which are solid and work well.
For example, port 80 forwards to port 8080 on the same machine (the webserver). When a given webserver is restarting, we forward requests to another IP on port 8080 which displays a Maintenance Page. In most cases, this other IP is on a separate server.
This all worked perfectly until we installed bridge-utils and changed to using a bridge br0 instead of eth0 as the interface.
The reason we have converted to using a bridge interface is to gain access to the MAC SNAT/DNAT capabilities of ebtables. We have no other reason to add a bridge interface on the servers, as they don't actually bridge connections over multiple interfaces.
I know this is a strange reason to add a bridge on the servers, but we are using the MAC SNAT/DNAT capabilities in a new project and ebtables seemed to be the safest, fastest and easiest way to go since we are already so familiar with iptables.
The problem is, since converting to a br0 interface, iptables PREROUTING forwarding to external servers is no longer working.
Internal PREROUTING forwarding works fine (eg: request comes in on port 80, it forwards to port 8080).
The OUTPUT chain also works (eg: we can connect outwards from the box via a local destination IP:8080, and the OUTPUT chain maps it to the Maintenance Server IP on a different server, port 8080, and returns a webpage).
However, any traffic coming into the box seems to die after the PREROUTING rule if the destination IP is external.
Here is an example of our setup:
Old Setup:
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
New Setup: (old setup in various formats tried as well..., trying to log eth0 and br0 packets)
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface br0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface br0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Before changing to br0, the client request would go to server A at port 9080, and then be MASQUERADED off to a different server $MAINTIP.
As explained above, this works fine if $MAINTIP is on the same machine, but if it's on another server, the packet is never sent to $MAINTIP under the new br0 setup.
We want the packets to go out the same interface they came in on, MASQUERADED, as they did before we switched to using a single-NIC bridge (br0/bridge-utils).
I've tried adding logging at all stages in iptables. For some reason the iptables TRACE target doesn't work on this setup, so I can't get a TRACE log, but the packet shows up in the PREROUTING table, but seem to be silently dropped after that.
I've gone through this excellent document and have a better understanding of the flow between iptables and ebtables:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
From my understanding, it seems that the bridge is not forwarding the packets out the same interface they came in, and is dropping them. If we had a second interface added, I imagine it would be forwarding them out on that interface (the other side of the bridge) - which is the way bridges are meant to work ;-)
Is it possible to make this work the way we want it to, and PREROUTE/FORWARD those packets out over the same interface they came in on like we used to?
I'm hoping there are some ebtables rules which can work in conjunction with the iptables PREROUTING/FORWARD/POSTROUTING rules to make iptables forwarding work the way it usually does, and to send the routed packets out br0 (eth0) instead of dropping them.
Comments, flames, any and all advice welcome!
Best Regards,
Neale
iptables
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
add a comment |
We have a number of iptables rules for forwarding connections, which are solid and work well.
For example, port 80 forwards to port 8080 on the same machine (the webserver). When a given webserver is restarting, we forward requests to another IP on port 8080 which displays a Maintenance Page. In most cases, this other IP is on a separate server.
This all worked perfectly until we installed bridge-utils and changed to using a bridge br0 instead of eth0 as the interface.
The reason we have converted to using a bridge interface is to gain access to the MAC SNAT/DNAT capabilities of ebtables. We have no other reason to add a bridge interface on the servers, as they don't actually bridge connections over multiple interfaces.
I know this is a strange reason to add a bridge on the servers, but we are using the MAC SNAT/DNAT capabilities in a new project and ebtables seemed to be the safest, fastest and easiest way to go since we are already so familiar with iptables.
The problem is, since converting to a br0 interface, iptables PREROUTING forwarding to external servers is no longer working.
Internal PREROUTING forwarding works fine (eg: request comes in on port 80, it forwards to port 8080).
The OUTPUT chain also works (eg: we can connect outwards from the box via a local destination IP:8080, and the OUTPUT chain maps it to the Maintenance Server IP on a different server, port 8080, and returns a webpage).
However, any traffic coming into the box seems to die after the PREROUTING rule if the destination IP is external.
Here is an example of our setup:
Old Setup:
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
New Setup: (old setup in various formats tried as well..., trying to log eth0 and br0 packets)
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface br0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface br0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Before changing to br0, the client request would go to server A at port 9080, and then be MASQUERADED off to a different server $MAINTIP.
As explained above, this works fine if $MAINTIP is on the same machine, but if it's on another server, the packet is never sent to $MAINTIP under the new br0 setup.
We want the packets to go out the same interface they came in on, MASQUERADED, as they did before we switched to using a single-NIC bridge (br0/bridge-utils).
I've tried adding logging at all stages in iptables. For some reason the iptables TRACE target doesn't work on this setup, so I can't get a TRACE log, but the packet shows up in the PREROUTING table, but seem to be silently dropped after that.
I've gone through this excellent document and have a better understanding of the flow between iptables and ebtables:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
From my understanding, it seems that the bridge is not forwarding the packets out the same interface they came in, and is dropping them. If we had a second interface added, I imagine it would be forwarding them out on that interface (the other side of the bridge) - which is the way bridges are meant to work ;-)
Is it possible to make this work the way we want it to, and PREROUTE/FORWARD those packets out over the same interface they came in on like we used to?
I'm hoping there are some ebtables rules which can work in conjunction with the iptables PREROUTING/FORWARD/POSTROUTING rules to make iptables forwarding work the way it usually does, and to send the routed packets out br0 (eth0) instead of dropping them.
Comments, flames, any and all advice welcome!
Best Regards,
Neale
iptables
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
We have a number of iptables rules for forwarding connections, which are solid and work well.
For example, port 80 forwards to port 8080 on the same machine (the webserver). When a given webserver is restarting, we forward requests to another IP on port 8080 which displays a Maintenance Page. In most cases, this other IP is on a separate server.
This all worked perfectly until we installed bridge-utils and changed to using a bridge br0 instead of eth0 as the interface.
The reason we have converted to using a bridge interface is to gain access to the MAC SNAT/DNAT capabilities of ebtables. We have no other reason to add a bridge interface on the servers, as they don't actually bridge connections over multiple interfaces.
I know this is a strange reason to add a bridge on the servers, but we are using the MAC SNAT/DNAT capabilities in a new project and ebtables seemed to be the safest, fastest and easiest way to go since we are already so familiar with iptables.
The problem is, since converting to a br0 interface, iptables PREROUTING forwarding to external servers is no longer working.
Internal PREROUTING forwarding works fine (eg: request comes in on port 80, it forwards to port 8080).
The OUTPUT chain also works (eg: we can connect outwards from the box via a local destination IP:8080, and the OUTPUT chain maps it to the Maintenance Server IP on a different server, port 8080, and returns a webpage).
However, any traffic coming into the box seems to die after the PREROUTING rule if the destination IP is external.
Here is an example of our setup:
Old Setup:
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
New Setup: (old setup in various formats tried as well..., trying to log eth0 and br0 packets)
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD --in-interface br0 -j ACCEPT
iptables -t nat -A POSTROUTING --out-interface br0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Before changing to br0, the client request would go to server A at port 9080, and then be MASQUERADED off to a different server $MAINTIP.
As explained above, this works fine if $MAINTIP is on the same machine, but if it's on another server, the packet is never sent to $MAINTIP under the new br0 setup.
We want the packets to go out the same interface they came in on, MASQUERADED, as they did before we switched to using a single-NIC bridge (br0/bridge-utils).
I've tried adding logging at all stages in iptables. For some reason the iptables TRACE target doesn't work on this setup, so I can't get a TRACE log, but the packet shows up in the PREROUTING table, but seem to be silently dropped after that.
I've gone through this excellent document and have a better understanding of the flow between iptables and ebtables:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
From my understanding, it seems that the bridge is not forwarding the packets out the same interface they came in, and is dropping them. If we had a second interface added, I imagine it would be forwarding them out on that interface (the other side of the bridge) - which is the way bridges are meant to work ;-)
Is it possible to make this work the way we want it to, and PREROUTE/FORWARD those packets out over the same interface they came in on like we used to?
I'm hoping there are some ebtables rules which can work in conjunction with the iptables PREROUTING/FORWARD/POSTROUTING rules to make iptables forwarding work the way it usually does, and to send the routed packets out br0 (eth0) instead of dropping them.
Comments, flames, any and all advice welcome!
Best Regards,
Neale
iptables
iptables
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
asked Jun 14 '13 at 21:59
Neale Rudd - Metawerx JavaNeale Rudd - Metawerx Java
62
62
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
When filtering on a bridge i think you need to use a different match for the interface in/out,
in your case, in i understand your setup correctly, something like
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE
I don't think you need to enable ip_forward ... this is a bridge afterall
last but not least
echo 1 > net.bridge.bridge-nf-call-iptables
make sure this is enabled , but it should by default.
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
add a comment |
I've faced with same issue a long time ago. There is the magic option hairpin on the bridge port interface, that implements this strange behaviour. If the hairpin disabled, then the frames won't be forwarded back through interface, through which these frames have been received.
One more interesting thing about this issue: when the interface is moved out into the promisc mode, all work perfectly. Most funny part is in that, it happens when you run the tcpdump to try to troubleshoot the problem.
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f515966%2febtables-iptables-bridge-utils-prerouting-forward-issue-on-single-nic-bridge%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
When filtering on a bridge i think you need to use a different match for the interface in/out,
in your case, in i understand your setup correctly, something like
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE
I don't think you need to enable ip_forward ... this is a bridge afterall
last but not least
echo 1 > net.bridge.bridge-nf-call-iptables
make sure this is enabled , but it should by default.
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
add a comment |
When filtering on a bridge i think you need to use a different match for the interface in/out,
in your case, in i understand your setup correctly, something like
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE
I don't think you need to enable ip_forward ... this is a bridge afterall
last but not least
echo 1 > net.bridge.bridge-nf-call-iptables
make sure this is enabled , but it should by default.
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
add a comment |
When filtering on a bridge i think you need to use a different match for the interface in/out,
in your case, in i understand your setup correctly, something like
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE
I don't think you need to enable ip_forward ... this is a bridge afterall
last but not least
echo 1 > net.bridge.bridge-nf-call-iptables
make sure this is enabled , but it should by default.
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
When filtering on a bridge i think you need to use a different match for the interface in/out,
in your case, in i understand your setup correctly, something like
iptables -t nat -A PREROUTING -p tcp --dport 9080 -j DNAT --to-destination $MAINTIP:8080
iptables -a FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -m physdev --physdev-out eth0 -j MASQUERADE
I don't think you need to enable ip_forward ... this is a bridge afterall
last but not least
echo 1 > net.bridge.bridge-nf-call-iptables
make sure this is enabled , but it should by default.
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
edited Jun 15 '13 at 15:12
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
answered Jun 15 '13 at 1:05
przRoccoprzRocco
31614
31614
add a comment |
add a comment |
I've faced with same issue a long time ago. There is the magic option hairpin on the bridge port interface, that implements this strange behaviour. If the hairpin disabled, then the frames won't be forwarded back through interface, through which these frames have been received.
One more interesting thing about this issue: when the interface is moved out into the promisc mode, all work perfectly. Most funny part is in that, it happens when you run the tcpdump to try to troubleshoot the problem.
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
add a comment |
I've faced with same issue a long time ago. There is the magic option hairpin on the bridge port interface, that implements this strange behaviour. If the hairpin disabled, then the frames won't be forwarded back through interface, through which these frames have been received.
One more interesting thing about this issue: when the interface is moved out into the promisc mode, all work perfectly. Most funny part is in that, it happens when you run the tcpdump to try to troubleshoot the problem.
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
add a comment |
I've faced with same issue a long time ago. There is the magic option hairpin on the bridge port interface, that implements this strange behaviour. If the hairpin disabled, then the frames won't be forwarded back through interface, through which these frames have been received.
One more interesting thing about this issue: when the interface is moved out into the promisc mode, all work perfectly. Most funny part is in that, it happens when you run the tcpdump to try to troubleshoot the problem.
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
I've faced with same issue a long time ago. There is the magic option hairpin on the bridge port interface, that implements this strange behaviour. If the hairpin disabled, then the frames won't be forwarded back through interface, through which these frames have been received.
One more interesting thing about this issue: when the interface is moved out into the promisc mode, all work perfectly. Most funny part is in that, it happens when you run the tcpdump to try to troubleshoot the problem.
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
edited Jun 5 at 23:02
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
answered Jun 5 at 21:12
Anton DanilovAnton Danilov
1,7531712
1,7531712
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f515966%2febtables-iptables-bridge-utils-prerouting-forward-issue-on-single-nic-bridge%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
