Iptables - Bridge and Forward chain
Because of the br-nf code that is available as a patch to linux 2.4 and used in linux 2.6:
The br-nf code makes bridged IP frames/packets go through the iptables chains. Ebtables filters on the Ethernet layer, while iptables only filters IP packets.
Since the traffic you are working is ip, iptables
rules still apply because of br-nf passing the bridged packets to iptables
.
This is a great resource to read about the interaction and this one details the functionality of br-nf code, including how to disable all or some of the functionalities (i.e. not passing bridge traffic to iptables).
You can disable this behaviour (letting iptables handling bridged packets) by typing:
echo "0" > /proc/sys/net/bridge/bridge-nf-call-iptables
(see http://ebtables.sourceforge.net/documentation/bridge-nf.html)
If you do not have the need to use iptables with the bridge on your system you can permanently disable it by using either of the following:
- Adding an iptables rule:
iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
- Or editing /etc/sysctl.conf:
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0