Iptables not working on a bridged setup

Question

I am trying to block DNS requests using an Ubuntu machine. I have created a bridge and the packets are being forwarded as expected. Only when I add iptables rules, it is not taken in account. I tried with no rules, simply setting the policy of each table to DROP and even this doesn't work : the packets are still transmitted without interruption. I should precise that I'm working in an ISP context so, network-wise, the bridge is situated on the WAN side, between the CPE and a telindus. Thanks for the help.

Version of iptables : 1.4.21

# iptables -L -n -v

0 packets in forward and input, 16 in output (Rather synthetic as I'm on my phone)

All policies are in DROP mode.

/proc/sys/net/bridge/bridge-nf-call-iptables = 1

The configuration of the bridge is rather simple :

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1

ifconfig eth0 up
ifconfig eth1 up
ifconfig br0 up

Answer 1

Would be useful to share with us iptables -L -n -v

In order to drop a traffic on bridged interface, just use:

iptables -A FORWARD -p tcp --dport 53 -j DROP
iptables -A FORWARD -p udp --dport 53 -j DROP

Feel free to use

tcpdump -i any -n port 53

to see wheras the traffic really goes through the server.

You can also use:

iptables -A FORWARD -j LOG --log-prefix "IPTables: " --log-level 4

to log the traffic that passes through iptables.

Answer 2

I'm answering my own question : the problem was coming from the following parameters :

/proc/sys/net/bridge/bridge-nf-filter-pppoe-tagged
/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged

I set them to 1 and it allowed the subsequent frames/packets to be forwarded into iptables FORWARD table. Thank you for you help.