Block incoming traffic in bonding mode when primary interface is down

4

My server running on latest kernel (4.4.6) has configured a bond device (bond0) with two enslaved interfaces eth0, wlan0 with primary interface eth0.

cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: eth0 (primary_reselect always)
Currently Active Slave: wlan0
MII Status: up
MII Polling Interval (ms): 1000
Up Delay (ms): 1000
Down Delay (ms): 1000

Slave Interface: wlan0
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 3
Permanent HW addr: dc:53:60:5f:50:cd
Slave queue ID: 0

Slave Interface: eth0
MII Status: down
Speed: Unknown
Duplex: Unknown
Link Failure Count: 4
Permanent HW addr: b8:ae:ed:7c:7d:c9
Slave queue ID: 0

I run also iptables to filter traffic and block some local ports while I allow all outgoing traffic.

*filter
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT

What I have fail to do is to create a mechanism when the primary interface eth0 is down and the wlan0 is getting active to block the remote access on specific port.

I tried to add an iptable rule for wlan0 while I know that is not correct because the interface is bond0 (Failed)

*filter
-A INPUT -p tcp -i wlan0 -m state --state NEW -m tcp --dport 8090 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -j ACCEPT

I tried to add an iptable rule for wlan0 to mark packets on preroute and catch on filter (Failed)

*mangle
-A PREROUTING -i wlan0 -j MARK --set-xmark 0x1/0xffffffff
*filter
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -m mark ! --mark 0x1 ACCEPT

I tried to add an ebtable rule to mark packets on Layer2 and catch on Layer3 filter (Failed)

EBTABLE
ebtables -t broute -A BROUTING -p ipv4 -i wlan0 -j mark --set-mark 0x1 --mark-target ACCEPT

IPTABLE
*filter
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8090 -m mark ! --mark 0x1 ACCEPT

I would like to avoid the MAC address solution because it will not work on Mac Policy: None

Any Ideas?

linux
iptables
firewall
bonding
asked on Server Fault Apr 13, 2016 by techfreakj • edited Apr 21, 2016 by techfreakj

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0