106 lines
3.5 KiB
Plaintext
Executable File
106 lines
3.5 KiB
Plaintext
Executable File
Hello everybody,
|
|
|
|
Although there is a man page which documents most of the actual
|
|
commands, there is still a 'gap' concerning what bridges are, and how
|
|
to set them up. This document attempts to fill this gap.
|
|
|
|
In fact, this document is a 15-min hack, so feel free to {complain
|
|
about,improve on} it. Especially if this document (or the FAQ) does
|
|
not tell you what you want to know; I would consider that to be a bug.
|
|
|
|
|
|
Have fun!
|
|
Lennert Buytenhek
|
|
|
|
|
|
<================= CUT HERE AND DAMAGE YOUR SCREEN =================>
|
|
|
|
|
|
|
|
1. The basics
|
|
-------------
|
|
|
|
What does a bridge actually do? In plain English, a bridge connects
|
|
two or more different physical ethernets together to form one large
|
|
(logical) ethernet. The physical ethernets being connected together
|
|
correspond to network interfaces in your linux box. The bigger
|
|
(logical) ethernet corresponds to a virtual network interface in linux
|
|
(often called br0, br1, br2, etc.)
|
|
|
|
Let's say we want to tie eth0 and eth1 together, turning those
|
|
networks into one larger network. What do we do? Well, we need to
|
|
create an instance of the bridge first.
|
|
|
|
# brctl addbr br0
|
|
|
|
(You can check that this gives you a network interface called br0.)
|
|
Now we want to enslave eth0 and eth1 to this bridge.
|
|
|
|
# brctl addif br0 eth0
|
|
# brctl addif br0 eth1
|
|
|
|
And now... because we connected the two ethernets together, they now
|
|
form one large subnet. We are actually only on only one subnet, namely
|
|
br0. We can forget about the fact that br0 is actually eth[01] in
|
|
disguise; we will only deal with br0 from now on. Because we are only
|
|
on one subnet, we only need one IP address for the bridge. This
|
|
address we assign to br0. eth0 and eth1 should not have IP addresses
|
|
allocated to them.
|
|
|
|
# ifconfig eth0 0.0.0.0
|
|
# ifconfig eth1 0.0.0.0
|
|
# ifconfig br0 my.ip.address.here
|
|
|
|
The last command also puts the interface br0 into the 'up' state. This
|
|
will activate the forwarding of packets, which in plain English means
|
|
that from that point on, eth0 and eth1 will be 'joined'
|
|
together. Hosts on eth0 should 'see' hosts on eth1 and vice versa.
|
|
|
|
The bridge will also (automatically) activate the Spanning Tree
|
|
Protocol: this is a network protocol spoken by switches for (roughly
|
|
speaking) calculating the shortest distances and eliminating loops in
|
|
the topology of the network. You can disable the stp if you really
|
|
want/need to; see brctl(8) for details.
|
|
|
|
|
|
|
|
2. More complicated setups
|
|
--------------------------
|
|
|
|
We can create multiple bridge port groups and do filtering/NATting
|
|
between them, just like we can do that with ordinary network
|
|
interfaces.
|
|
|
|
For example: on a quadport network card, dedicate two ports to a LAN
|
|
on which we have IP 10.16.0.254, and the other two ports to a LAN on
|
|
which we have IP 192.168.10.1 (this is an actual setup)
|
|
|
|
# brctl addbr br_10
|
|
# brctl addif br_10 eth0
|
|
# brctl addif br_10 eth1
|
|
# ifconfig br_10 10.16.0.254
|
|
|
|
# brctl addbr br_192
|
|
# brctl addif br_192 eth2
|
|
# brctl addif br_192 eth3
|
|
# ifconfig br_192 192.168.10.1
|
|
|
|
You now have logical network interfaces br_10 and br_192, which will
|
|
act just like ordinary interfaces. The only difference is that they
|
|
each correspond to two physical network interfaces, but nobody cares
|
|
about that.
|
|
|
|
So.. for example, if 192.168.10.2 is the only host on the 192.*
|
|
network that is allowed to access the 10.* network, we would do:
|
|
|
|
ipchains -P forward REJECT
|
|
ipchains -A forward -s 192.168.10.2/32 -d 10.0.0.0/8 -i br_10 -j ACCEPT
|
|
|
|
(just like you were used to).
|
|
|
|
|
|
|
|
|
|
|
|
Hope this helped. If not, send a cry for help to the mailing list.
|