I've been trying to setup a transparent L2 Linux bridging firewall using a Linux bridge in combination with the bridge-nf-call-iptables, bridge-nf-filter-vlan-tagged and bridge-nf-filter-pppoe-tagged system variables.
My configuration:
Bridge:
brctl addif br0 enp1s0
brctl addif br0 enp2s0
ifconfig enp1s0 up
ifconfig enp2s0 up
ifconfig br0 up
Bridge-nf:
/proc/sys/net/bridge/bridge-nf-call-iptables > 1
/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged > 1
/proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged > 1
IPTables:
iptables -A INPUT -d 8.8.8.8 -j DROP
iptables -A FORWARD -d 8.8.8.8 -j DROP
With the above setup, when trying to do a DNS lookup to 8.8.8.8 over a PPPoE encapsulated connection (running through the bridge), nothing gets blocked and the DNS query is succesful. Doing the same query directly (without PPPoE encapsulation) does get properly blocked. So it appears that the packet is not properly decapsulated before being processed by iptables. However, according to the documentation, setting /proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged should enable iptables to filter PPPoE encapsulated packets.
What am I doing wrong/overlooking?
