I just set up a desktop with two network cards and have got a bridge working between the two. That is not what my problem lies in though. I would like for the box to be able to connect to the internet also, but if I understand what I've set up correctly, I can't do that with my current setup. When I've tried to give one of the network cards an IP address, nothing but lo works, so I know there's something missing. I'll add my configuration at the bottom, but shortly, br0 is configured with an IP address, and eth0 and eth1 have none. Now, I know br0 is capable of at least a network connection because as I type this, I'm currently SSHed into into the box, but if I try to ping anything, all the packets are lost.
OK, so here are some of my thoughts and possible hints to a solution: 1) My routing tables need another route, so I just figure out how to configure that and add a route. 2) br0, eth0, and eth1 are incapable of an internet connection, in which case I need to create a virtual interface that can connect as if it were a separate interface that does the internet connecting. 3) (Very unsure, but...) use a alias interface to allow both eth0 without an IP address to make br0 happy and give eth0:0 an IP address to allow me to connect to the internet.
Thanks for any help, Justin Willmert
===================== ifcfg-br0 ===================== DEVICE=br0 TYPE=Bridge BOOTPROTO=static IPADDR=192.168.2.75 NETMASK=255.255.255.0 ONBOOT=yes DELAY=0 STP=off
===================== ifcfg-eth0 ===================== DEVICE=eth0 BOOTPROTO=static HWADDR=00:04:5A:50:A6:38 ONBOOT=yes TYPE=Ethernet BRIDGE=br0
===================== ifcfg-eth1 ===================== DEVICE=eth1 BOOTPROTO=static HWADDR=00:04:5A:4E:BC:02 ONBOOT=yes TYPE=Ethernet BRIDGE=br0
===================== static-routes ===================== any: net 127.0.0.0 netmask 255.0.0.0 dev lo any: net default gw 192.168.2.2 dev br0
===================== output of `route` ===================== Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo ===== 10 second or so delay here ===== default 192.168.2.2 0.0.0.0 UG 0 0 0 br0
===================== output of `ifconfig` ===================== br0 Link encap:Ethernet HWaddr 00:04:5A:4E:BC:02 inet addr:192.168.2.75 Bcast:192.168.2.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2763 errors:0 dropped:0 overruns:0 frame:0 TX packets:715 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:178695 (174.5 KiB) TX bytes:63849 (62.3 KiB)
eth0 Link encap:Ethernet HWaddr 00:04:5A:50:A6:38 inet6 addr: fe80::204:5aff:fe50:a638/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:100399 errors:0 dropped:0 overruns:0 frame:0 TX packets:8542 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11462669 (10.9 MiB) TX bytes:3050387 (2.9 MiB) Interrupt:12 Base address:0xc000
eth1 Link encap:Ethernet HWaddr 00:04:5A:4E:BC:02 inet6 addr: fe80::204:5aff:fe4e:bc02/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9626 errors:0 dropped:0 overruns:0 frame:0 TX packets:41708 errors:13 dropped:0 overruns:0 carrier:13 collisions:0 txqueuelen:1000 RX bytes:3182447 (3.0 MiB) TX bytes:7203127 (6.8 MiB) Interrupt:10
Justin Willmert wrote:
I just set up a desktop with two network cards and have got a bridge working between the two. That is not what my problem lies in though. I would like for the box to be able to connect to the internet also, but if I understand what I've set up correctly, I can't do that with my current setup. When I've tried to give one of the network cards an IP address, nothing but lo works, so I know there's something missing. I'll add my configuration at the bottom, but shortly, br0 is configured with an IP address, and eth0 and eth1 have none. Now, I know br0 is capable of at least a network connection because as I type this, I'm currently SSHed into into the box, but if I try to ping anything, all the packets are lost.
OK, so here are some of my thoughts and possible hints to a solution:
- My routing tables need another route, so I just figure out how to
configure that and add a route. 2) br0, eth0, and eth1 are incapable of an internet connection, in which case I need to create a virtual interface that can connect as if it were a separate interface that does the internet connecting.
br0 is the network interface of the system. eth0 and eth1 are part of a bridge and therefore completely transparent in the network.
- (Very unsure, but...) use a alias interface to allow both eth0
without an IP address to make br0 happy and give eth0:0 an IP address to allow me to connect to the internet.
Thanks for any help, Justin Willmert
===================== ifcfg-br0 ===================== DEVICE=br0 TYPE=Bridge BOOTPROTO=static IPADDR=192.168.2.75 NETMASK=255.255.255.0 ONBOOT=yes DELAY=0 STP=off
===================== ifcfg-eth0 ===================== DEVICE=eth0 BOOTPROTO=static HWADDR=00:04:5A:50:A6:38 ONBOOT=yes TYPE=Ethernet BRIDGE=br0
===================== ifcfg-eth1 ===================== DEVICE=eth1 BOOTPROTO=static HWADDR=00:04:5A:4E:BC:02 ONBOOT=yes TYPE=Ethernet BRIDGE=br0
===================== static-routes ===================== any: net 127.0.0.0 netmask 255.0.0.0 dev lo any: net default gw 192.168.2.2 dev br0
===================== output of `route` ===================== Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo ===== 10 second or so delay here ===== default 192.168.2.2 0.0.0.0 UG 0 0 0 br0
You haven't set a netmask on the default route. It should be 255.255.255.0 to match the network segment.
I updated Firefox to 1.0.7 and it's now in German. Where can I set it to English?
Tia, Albert
Nigel Wade wrote:
Justin Willmert wrote:
I just set up a desktop with two network cards and have got a bridge working between the two. That is not what my problem lies in though. I would like for the box to be able to connect to the internet also, but if I understand what I've set up correctly, I can't do that with my current setup. When I've tried to give one of the network cards an IP address, nothing but lo works, so I know there's something missing. I'll add my configuration at the bottom, but shortly, br0 is configured with an IP address, and eth0 and eth1 have none. Now, I know br0 is capable of at least a network connection because as I type this, I'm currently SSHed into into the box, but if I try to ping anything, all the packets are lost.
What IP address are you ssh'ed into the box from? Can you ssh back to that IP from the bridge machine? Might the ping issue be due to firewall rules (e.g. blocking ICMP packets)?
OK, so here are some of my thoughts and possible hints to a solution:
- My routing tables need another route, so I just figure out how
to configure that and add a route. 2) br0, eth0, and eth1 are incapable of an internet connection, in which case I need to create a virtual interface that can connect as if it were a separate interface that does the internet connecting.
br0 is the network interface of the system. eth0 and eth1 are part of a bridge and therefore completely transparent in the network.
Correct.
===================== output of `route` ===================== Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo ===== 10 second or so delay here ===== default 192.168.2.2 0.0.0.0 UG 0 0 0 br0
You haven't set a netmask on the default route. It should be 255.255.255.0 to match the network segment.
A netmask of 0.0.0.0 is normal for the default route.
Paul.
Paul Howarth wrote:
Nigel Wade wrote:
Justin Willmert wrote:
I just set up a desktop with two network cards and have got a bridge working between the two. That is not what my problem lies in though. I would like for the box to be able to connect to the internet also, but if I understand what I've set up correctly, I can't do that with my current setup. When I've tried to give one of the network cards an IP address, nothing but lo works, so I know there's something missing. I'll add my configuration at the bottom, but shortly, br0 is configured with an IP address, and eth0 and eth1 have none. Now, I know br0 is capable of at least a network connection because as I type this, I'm currently SSHed into into the box, but if I try to ping anything, all the packets are lost.
What IP address are you ssh'ed into the box from? Can you ssh back to that IP from the bridge machine? Might the ping issue be due to firewall rules (e.g. blocking ICMP packets)?
OK, I thought I had my firewall set up correctly, because I had a default policy to accept on the OUTPUT and FORWARD chains so I never thought that'd be a problem, but when I shut it off, it does work. So now I guess my question would be, what special rules do I need to create to allow this bridge setup to work with a firewall? Here is my firewall script.
===================== setup-firewall-rules ===================== #!/bin/sh
# Delete all rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X
# Setup policies iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
# Always trust the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
# Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow already opened connections # (Only need INPUT right now 'cause it's the only one with DROP policy) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept SSH connections iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Accept VNC connections iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
OK, so here are some of my thoughts and possible hints to a solution:
- My routing tables need another route, so I just figure out how
to configure that and add a route. 2) br0, eth0, and eth1 are incapable of an internet connection, in which case I need to create a virtual interface that can connect as if it were a separate interface that does the internet connecting.
br0 is the network interface of the system. eth0 and eth1 are part of a bridge and therefore completely transparent in the network.
Correct.
===================== output of `route` ===================== Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo ===== 10 second or so delay here ===== default 192.168.2.2 0.0.0.0 UG 0 0 0 br0
You haven't set a netmask on the default route. It should be 255.255.255.0 to match the network segment.
A netmask of 0.0.0.0 is normal for the default route.
Paul.
The 10 second pause in the ouput also has to do with the firewall. When I shut down the firewall, it shows up immediately.
Thanks for the help guys, Justin
Justin Willmert wrote:
Paul Howarth wrote:
Nigel Wade wrote:
Justin Willmert wrote:
I just set up a desktop with two network cards and have got a bridge working between the two. That is not what my problem lies in though. I would like for the box to be able to connect to the internet also, but if I understand what I've set up correctly, I can't do that with my current setup. When I've tried to give one of the network cards an IP address, nothing but lo works, so I know there's something missing. I'll add my configuration at the bottom, but shortly, br0 is configured with an IP address, and eth0 and eth1 have none. Now, I know br0 is capable of at least a network connection because as I type this, I'm currently SSHed into into the box, but if I try to ping anything, all the packets are lost.
What IP address are you ssh'ed into the box from? Can you ssh back to that IP from the bridge machine? Might the ping issue be due to firewall rules (e.g. blocking ICMP packets)?
OK, I thought I had my firewall set up correctly, because I had a default policy to accept on the OUTPUT and FORWARD chains so I never thought that'd be a problem, but when I shut it off, it does work. So now I guess my question would be, what special rules do I need to create to allow this bridge setup to work with a firewall? Here is my firewall script.
===================== setup-firewall-rules ===================== #!/bin/sh
# Delete all rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X
# Setup policies iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
# Always trust the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
# Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow already opened connections # (Only need INPUT right now 'cause it's the only one with DROP policy) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept SSH connections iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Accept VNC connections iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
I'm not an iptables or firewall expert so I may be wrong but it looks to me like the default DROP policy for the INPUT chain may be the issue. I think connection tracking may only work with TCP-based protocols such as ssh, which means that ICMP (e.g. ping) and UDP (e.g. DNS) may be problematic with this configuration. You may have to add rules to allow these types of traffic in.
The 10 second pause in the ouput also has to do with the firewall. When I shut down the firewall, it shows up immediately.
That's probably a DNS issue. Try using the "-n" option to "route" to turn off DNS lookups and see if you still get the delay with the firewall on.
Paul.
Paul Howarth wrote:
Justin Willmert wrote:
Paul Howarth wrote:
Nigel Wade wrote:
Justin Willmert wrote:
I just set up a desktop with two network cards and have got a bridge working between the two. That is not what my problem lies in though. I would like for the box to be able to connect to the internet also, but if I understand what I've set up correctly, I can't do that with my current setup. When I've tried to give one of the network cards an IP address, nothing but lo works, so I know there's something missing. I'll add my configuration at the bottom, but shortly, br0 is configured with an IP address, and eth0 and eth1 have none. Now, I know br0 is capable of at least a network connection because as I type this, I'm currently SSHed into into the box, but if I try to ping anything, all the packets are lost.
What IP address are you ssh'ed into the box from? Can you ssh back to that IP from the bridge machine? Might the ping issue be due to firewall rules (e.g. blocking ICMP packets)?
OK, I thought I had my firewall set up correctly, because I had a default policy to accept on the OUTPUT and FORWARD chains so I never thought that'd be a problem, but when I shut it off, it does work. So now I guess my question would be, what special rules do I need to create to allow this bridge setup to work with a firewall? Here is my firewall script.
===================== setup-firewall-rules ===================== #!/bin/sh
# Delete all rules iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X
# Setup policies iptables --policy INPUT DROP iptables --policy OUTPUT ACCEPT iptables --policy FORWARD ACCEPT
# Always trust the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
# Enable packet forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow already opened connections # (Only need INPUT right now 'cause it's the only one with DROP policy) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept SSH connections iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Accept VNC connections iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
I'm not an iptables or firewall expert so I may be wrong but it looks to me like the default DROP policy for the INPUT chain may be the issue. I think connection tracking may only work with TCP-based protocols such as ssh, which means that ICMP (e.g. ping) and UDP (e.g. DNS) may be problematic with this configuration. You may have to add rules to allow these types of traffic in.
The 10 second pause in the ouput also has to do with the firewall. When I shut down the firewall, it shows up immediately.
That's probably a DNS issue. Try using the "-n" option to "route" to turn off DNS lookups and see if you still get the delay with the firewall on.
Paul.
Dear friend I have a box with two NICs one with Internet and the other internal set as a firewall and doing NAT this is my IPTABLES configuration and really works # Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated. iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain # Set up IP FORWARDing and Masquerading #iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT --to-source 200.87.61.88 #iptables --table nat --append POSTROUTING --out-interface eth2 -j SNAT --to-source 200.105.201.226
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT --to-source 200.87.61.88 iptables --append FORWARD --in-interface eth1 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
###################### iptables -F iptables -A INPUT -i lo -p all -j ACCEPT iptables -A OUTPUT -o lo -p all -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT ###uncomment this!!!! iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset #### ##Permite SSH desde la red 1 iptables -A INPUT -s 10.1.1.0/24 -i eth1 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 10.1.1.0/24 -i eth1 -p udp --dport 22 -j ACCEPT ## ##Permite acceso al puerto 80 solo desde la intranet iptables -A INPUT -p tcp -i eth1 -s 10.1.1.0/24 --dport 80 -j ACCEPT ## # Proxy Transparente Squid iptables -A INPUT -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -p udp --dport 3128 -j ACCEPT iptables -A INPUT -p tcp --sport 3128 -j ACCEPT iptables -A INPUT -p udp --sport 3128 -j ACCEPT ##
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
## fin nuevo metodo ## #iptables -A INPUT -p tcp --syn -s 10.1.1.0/24 --destination-port 139 -j ACCEPT #iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP
######## # routing table ####
On Tue, 2005-11-01 at 07:37 -0600, Justin Willmert wrote:
OK, I thought I had my firewall set up correctly, because I had a default policy to accept on the OUTPUT and FORWARD chains so I never thought that'd be a problem, but when I shut it off, it does work. So now I guess my question would be, what special rules do I need to create to allow this bridge setup to work with a firewall? Here is my firewall script.
For a packet filtering bridge you might also want to look at using iptables physdev module to control traffic through a physical interface. For example this rule to forward all traffic coming in through eth1:
iptables -A FORWARD -m physdev --physdev-in eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
You might also want to look at ebtables:
http://ebtables.sourceforge.net/
Paul Howarth wrote:
Nigel Wade wrote:
Justin Willmert wrote:
===================== output of `route` ===================== Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.2.0 * 255.255.255.0 U 0 0 0 br0 169.254.0.0 * 255.255.0.0 U 0 0 0 br0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo ===== 10 second or so delay here ===== default 192.168.2.2 0.0.0.0 UG 0 0 0 br0
You haven't set a netmask on the default route. It should be 255.255.255.0 to match the network segment.
A netmask of 0.0.0.0 is normal for the default route.
Paul.
Ooops, so it is. Was looking at another system with different routing and failed to engage brain correctly.