Does this work? adding DROP to iptables on the virtual host's iptables, before the phys bridge....will it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used? -A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
On 4/27/2012 9:36 AM, Bob Hoffman wrote:> Does this work? > > adding DROP to iptables on the virtual host's iptables, before the phys > bridge....will it prevent those ips from getting to the bridged part of > iptables? Or would a different syntax be used? > > > -A INPUT -s 66.77.65.128/26 -j DROP > -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > > >would something like this work -A PREROUTING -s 66.77.65.128/26 -j DROP or would my server die upon testing it...lol
Apparently Analagous Threads
- filter policy drop and allow transparent proxy
- [Bridge] Clarification regarding device matches in bridge-netfilter
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- Debian Squeeze hangs with kernel 2.6.32-5-xen-686
- Bug#571634: bridge loosing connection