Bridging interfaces and the internet
Justin Willmert
justin at jdjlab.com
Tue Nov 1 13:37:48 UTC 2005
Paul Howarth wrote:
> Nigel Wade wrote:
>
>> Justin Willmert wrote:
>>
>>> I just set up a desktop with two network cards and have got a bridge
>>> working between the two. That is not what my problem lies in though.
>>> I would like for the box to be able to connect to the internet also,
>>> but if I understand what I've set up correctly, I can't do that with
>>> my current setup. When I've tried to give one of the network cards an
>>> IP address, nothing but lo works, so I know there's something
>>> missing. I'll add my configuration at the bottom, but shortly, br0 is
>>> configured with an IP address, and eth0 and eth1 have none. Now, I
>>> know br0 is capable of at least a network connection because as I
>>> type this, I'm currently SSHed into into the box, but if I try to
>>> ping anything, all the packets are lost.
>
>
> What IP address are you ssh'ed into the box from? Can you ssh back to
> that IP from the bridge machine? Might the ping issue be due to firewall
> rules (e.g. blocking ICMP packets)?
>
OK, I thought I had my firewall set up correctly, because I had a
default policy to accept on the OUTPUT and FORWARD chains so I never
thought that'd be a problem, but when I shut it off, it does work. So
now I guess my question would be, what special rules do I need to create
to allow this bridge setup to work with a firewall? Here is my firewall
script.
===================== setup-firewall-rules =====================
#!/bin/sh
# Delete all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Setup policies
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
# Always trust the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow already opened connections
# (Only need INPUT right now 'cause it's the only one with DROP policy)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept SSH connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Accept VNC connections
iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
>>> OK, so here are some of my thoughts and possible hints to a solution:
>>> 1) My routing tables need another route, so I just figure out how
>>> to configure that and add a route.
>>> 2) br0, eth0, and eth1 are incapable of an internet connection, in
>>> which case I need to create a virtual interface that can connect as
>>> if it were a separate interface that does the internet connecting.
>>
>>
>>
>> br0 is the network interface of the system. eth0 and eth1 are part of
>> a bridge and therefore completely transparent in the network.
>
>
> Correct.
>
>>> ===================== output of `route` =====================
>>> Kernel IP routing table
>>> Destination Gateway Genmask Flags Metric Ref
>>> Use Iface
>>> 192.168.2.0 * 255.255.255.0 U 0 0
>>> 0 br0
>>> 169.254.0.0 * 255.255.0.0 U 0 0
>>> 0 br0
>>> 127.0.0.0 * 255.0.0.0 U 0 0
>>> 0 lo
>>> ===== 10 second or so delay here =====
>>> default 192.168.2.2 0.0.0.0 UG 0 0
>>> 0 br0
>>
>>
>>
>>
>> You haven't set a netmask on the default route. It should be
>> 255.255.255.0 to match the network segment.
>
>
> A netmask of 0.0.0.0 is normal for the default route.
>
> Paul.
>
The 10 second pause in the ouput also has to do with the firewall. When
I shut down the firewall, it shows up immediately.
Thanks for the help guys,
Justin
More information about the users
mailing list