[Bridge] Bridging vlans...

Jeremy Jones jjones at djc.state.id.us
Thu Mar 25 17:44:51 PST 2004

Now, with iptables, under the first scenario (creating 2 vlan interfaces per
physical interface, and bridging the vlan interfaces), can I safely DROP
everything to, from, or through eth0 & eth1?  That is, assuming I don't want
to forward any untagged frames.


iptables -N only_tagged
iptables -A only_tagged -j LOG --log-prefix " untagged? "
iptables -A only_tagged -j DROP
iptables -A INPUT -i eth0 -j only_tagged
iptables -A INPUT -i eth1 -j only_tagged
iptables -A OUTPUT -i eth0 -j only_tagged
iptables -A OUTPUT -i eth1 -j only_tagged
iptables -A FORWARD -i eth0 -j only_tagged
iptables -A FORWARD -i eth1 -j only_tagged

Then do my more granular filtering on the vlan interfaces...

(guess this would be something to ask the vlan mailing list people -- but
what the heck, this list isn't terribly busy anyway)

I imagine I'll have to come up with a fairly complex matrix of --physdev-in,
--physdev-out, etc. combinations.  Yikes.


> -----Original Message-----
> From: bridge-bounces at lists.osdl.org 
> [mailto:bridge-bounces at lists.osdl.org] On Behalf Of John W. Linville
> Sent: Thursday, March 25, 2004 5:56 AM
> To: Jeremy Jones
> Cc: bridge at lists.osdl.org
> Subject: Re: [Bridge] Bridging vlans...
> Jeremy,
> I have no specific experience with a situation like yours.  But, that 
> won't stop me from rendering an opinion... :-)
> I, too, would lean toward the first at least partly for the 
> reason you 
> describe.  But, you should also consider untagged frames and 
> frames with 
> other VLAN IDs.  The second configuration should bridge all frames 
> (tagged or untagged), while the first will only be bridging 
> frames with 
> VLAN IDs of 4 or 51.  I'm not sure which is your desired 
> behaviour, but 
> I suspect it is the first configuration which you should prefer.
> Hth...
> John
> -- 

More information about the Bridge mailing list