I am new to networking, and I am trying to implement a firewall inside of an LXC container (Alpine Linux) that is bridged with another LXC container (Alpine Linux) through a br0 interface.

Right now, my only goal is to block all traffic that is coming from the client device through the container.

So far I have had lots of trouble getting any of the firewall rules to apply/work properly.

What happens is I can set a rule/policy (e.g. drop forward chain), verify that it is in the ruleset, but then when I connect a client device to the network, it does not seem to apply (I can still access the network).

I am using nftables to configure the firewall settings.

My basic process is:

install nftables add policy to drop packets in the forwarding chain I have tried every possible configuration I can think of for these rules.

I was reading that because the container is bridged, that the data packets only travel on layer 2, so the layer 3 firewall rules would not ever apply to the packet, is this true?

I have been able to use layer 2 rules to block traffic (e.g. bridge rules in nftables and ebtables rules), but nothing on layer 3 yet.

For more background, here is the container interface setup:

WLAN0/WLAN1 -> br0 (Container A) -> br0 (Container B) -> eth0 -> internet

I am trying to apply firewall rules inside of container A right now.

If any more information is needed, let me know :)