Ubuntu
ufw package

  1. Bug #573461
  2. Comment #2

Comment 2 for bug 573461

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: UFW blocks bridged traffic

Seems this is the relevant line in the IRC conversation:
22:24 < MTecknology> cclausen: May 1 22:24:22 pessum kernel: [19981.061455] [UFW BLOCK] IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vnet1 SRC=192.168.3.6 DST=192.168.1.5 LEN=196 TOS=0x10 PREC=0x00 TTL=63 ID=40752 DF PROTO=TCP SPT=55015 DPT=22 WINDOW=126 RES=0x00 ACK PSH URGP=0

Using libvirt with bridging requires additional configuration. For details, see:
http://wiki.libvirt.org/page/Networking#Creating_network_initscripts

Specifically, this section:
"The final step is to disable netfilter on the bridge:

 # cat >> /etc/sysctl.conf <<EOF
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 EOF
 # sysctl -p /etc/sysctl.conf

It is recommended to do this for performance and security reasons. See Fedora bug #512206. Alternatively you can configure iptables to allow all traffic to be forwarded across the bridge:

# echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > /etc/sysconfig/iptables-forward-bridged
# lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
# service libvirtd reload
"

Translated into Ubuntu/ufw language, either:
a) disable netfilter on the bridge via /etc/sysctl.conf, /etc/ufw/sysctl.conf or add a file with the above to /etc/sysctl.d or
b) configure iptables to allow all traffic to be forwarded across the bridge by adding the following to /etc/ufw/before.rules:
-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT