How to block icmp packets bridged interfaces member eth1

I have br-lan interface with members eth0 and eth1.
I am trying to filter and forward some specific traffics from bridge to another interfaces like tun or tap
eth0 is WAN
eth1 is LAN
i wan to block icmp request coming from LAN to WAN on eth1
and there is a problem like below . Any help would be appreciated.

root@alfa:~# iptables -A FORWARD -m physdev --physdev-in eth1 --physdev-out eth0 -p icmp -j REJECT
[ 2752.462243] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
[ 2752.475265] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.
root@alfa:~#

You can't use "iptables" for this: once you bridge the interfaces, traffic flows through a lower layer, and you need to use "ebtables" instead.

Moreover:

why did you bridge them in the first place?

sorry for late reply but actually it worked for me although this warn . So now i cannot ping from eth0 to eth1 and eth1 to eth0 .
[ 2752.462243] xt_physdev: using --physdev-out and --physdev-is-out are only supported in the FORWARD and POSTROUTING chains with bridged traffic.

root@orangepi-r1:/# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     icmp --  anywhere             anywhere             PHYSDEV match --physdev-in eth1 --physdev-out eth0 reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@orangepi-r1:/# ping 192.168.57.1
**PING 192.168.57.1 (192.168.57.1): 56 data bytes**

my network config

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1 eth0'
        option proto 'dhcp'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.