Bridging interfaces and the internet

Justin Willmert justin at jdjlab.com
Tue Nov 1 13:37:48 UTC 2005


Paul Howarth wrote:
> Nigel Wade wrote:
> 
>> Justin Willmert wrote:
>>
>>> I just set up a desktop with two network cards and have got a bridge 
>>> working between the two. That is not what my problem lies in though. 
>>> I would like for the box to be able to connect to the internet also, 
>>> but if I understand what I've set up correctly, I can't do that with 
>>> my current setup. When I've tried to give one of the network cards an 
>>> IP address, nothing but lo works, so I know there's something 
>>> missing. I'll add my configuration at the bottom, but shortly, br0 is 
>>> configured with an IP address, and eth0 and eth1 have none. Now, I 
>>> know br0 is capable of at least a network connection because as I 
>>> type this, I'm currently SSHed into into the box, but if I try to 
>>> ping anything, all the packets are lost.
> 
> 
> What IP address are you ssh'ed into the box from? Can you ssh back to 
> that IP from the bridge machine? Might the ping issue be due to firewall 
> rules (e.g. blocking ICMP packets)?
> 

OK, I thought I had my firewall set up correctly, because I had a 
default policy to accept on the OUTPUT and FORWARD chains so I never 
thought that'd be a problem, but when I shut it off, it does work. So 
now I guess my question would be, what special rules do I need to create 
to allow this bridge setup to work with a firewall? Here is my firewall 
script.


===================== setup-firewall-rules =====================
#!/bin/sh

# Delete all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Setup policies
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

# Always trust the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow already opened connections
# (Only need INPUT right now 'cause it's the only one with DROP policy)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept SSH connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Accept VNC connections
iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT

>>> OK, so here are some of my thoughts and possible hints to a solution:
>>>    1) My routing tables need another route, so I just figure out how 
>>> to configure that and add a route.
>>>    2) br0, eth0, and eth1 are incapable of an internet connection, in 
>>> which case I need to create a virtual interface that can connect as 
>>> if it were a separate interface that does the internet connecting.
>>
>>
>>
>> br0 is the network interface of the system. eth0 and eth1 are part of 
>> a bridge and therefore completely transparent in the network.
> 
> 
> Correct.
>
>>> ===================== output of `route` =====================
>>> Kernel IP routing table
>>> Destination     Gateway         Genmask         Flags Metric Ref    
>>> Use Iface
>>> 192.168.2.0     *               255.255.255.0   U     0      0      
>>> 0    br0
>>> 169.254.0.0     *               255.255.0.0     U     0      0      
>>> 0    br0
>>> 127.0.0.0       *               255.0.0.0       U     0      0      
>>> 0    lo
>>>             ===== 10 second or so delay here =====
>>> default         192.168.2.2     0.0.0.0         UG    0      0      
>>> 0    br0
>>
>>
>>
>>
>> You haven't set a netmask on the default route. It should be 
>> 255.255.255.0 to match the network segment.
> 
> 
> A netmask of 0.0.0.0 is normal for the default route.
> 
> Paul.
> 
The 10 second pause in the ouput also has to do with the firewall. When 
I shut down the firewall, it shows up immediately.

Thanks for the help guys,
Justin




More information about the users mailing list