I have a linux machine (my workstation). From there I can ping other local machines, let's say 192.168.1.22. Let's say I want to prohibit communication with 192.168.1.22 by it's MAC address. I'm trying a simple rule:
ebtables -I INPUT -s 00:24:1d:c9:0a:27 -j DROP
But still I can ping that host. Is ebtables limited to filtering traffic only on bridge interfaces?
Yes, ebtables only acts on frames traversing bridge interfaces. You can, however, do a nice layering violation and use the -m mac --mac-source iptables option.
Whenever I'm doing anything at all complex with netfilter I keep this diagram close to hand: http://jengelh.medozas.de/images/nf-packet-flow.png
Thor, what you suggest is correct and is working. I justed tested it.
You may need to update the routes by replacing bridged interfaces with the bridge interface itself, to make sure you're not bypassing the bridge.
ip route del 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
ip route add 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
