March 23, 2016

linuc iptables, NAT and bridge interface

There are some issues using Linux iptables, bridge interface and NAT together. See details from the blog:

http://www.woitasen.com.ar/2011/09/confusion-using-iptables-nat-and-bridge/

The summary is packets forwarded between the bridged interfaces also go through iptables, therefore potentially creating connection-tracking states before it gets to the NAT-enabled outbound interface. Then later, when the packet is routed to the NAT-enabled outbound interface, the NAT table will not be consulted anymore because the conn-track entry already exists for that packet.

The two possible solutions:

  • echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables #To disable Iptables in the bridge.
  • Raw table: This table can be used to avoid packets (connection really) to enter the NAT table: iptables -t raw -I PREROUTING -i BRIDGE -s x.x.x.x -j NOTRACK.

No comments:

Post a Comment