| Hello everybody, |
| |
| Although there is a man page which documents most of the actual |
| commands, there is still a 'gap' concerning what bridges are, and how |
| to set them up. This document attempts to fill this gap. |
| |
| In fact, this document is a 15-min hack, so feel free to {complain |
| about,improve on} it. Especially if this document (or the FAQ) does |
| not tell you what you want to know; I would consider that to be a bug. |
| |
| |
| Have fun! |
| Lennert Buytenhek |
| |
| |
| <================= CUT HERE AND DAMAGE YOUR SCREEN =================> |
| |
| |
| |
| 1. The basics |
| ------------- |
| |
| What does a bridge actually do? In plain English, a bridge connects |
| two or more different physical ethernets together to form one large |
| (logical) ethernet. The physical ethernets being connected together |
| correspond to network interfaces in your linux box. The bigger |
| (logical) ethernet corresponds to a virtual network interface in linux |
| (often called br0, br1, br2, etc.) |
| |
| Let's say we want to tie eth0 and eth1 together, turning those |
| networks into one larger network. What do we do? Well, we need to |
| create an instance of the bridge first. |
| |
| # brctl addbr br0 |
| |
| (You can check that this gives you a network interface called br0.) |
| Now we want to enslave eth0 and eth1 to this bridge. |
| |
| # brctl addif br0 eth0 |
| # brctl addif br0 eth1 |
| |
| And now... because we connected the two ethernets together, they now |
| form one large subnet. We are actually only on only one subnet, namely |
| br0. We can forget about the fact that br0 is actually eth[01] in |
| disguise; we will only deal with br0 from now on. Because we are only |
| on one subnet, we only need one IP address for the bridge. This |
| address we assign to br0. eth0 and eth1 should not have IP addresses |
| allocated to them. |
| |
| # ifconfig eth0 0.0.0.0 |
| # ifconfig eth1 0.0.0.0 |
| # ifconfig br0 my.ip.address.here |
| |
| The last command also puts the interface br0 into the 'up' state. This |
| will activate the forwarding of packets, which in plain English means |
| that from that point on, eth0 and eth1 will be 'joined' |
| together. Hosts on eth0 should 'see' hosts on eth1 and vice versa. |
| |
| The bridge will also (automatically) activate the Spanning Tree |
| Protocol: this is a network protocol spoken by switches for (roughly |
| speaking) calculating the shortest distances and eliminating loops in |
| the topology of the network. You can disable the stp if you really |
| want/need to; see brctl(8) for details. |
| |
| |
| |
| 2. More complicated setups |
| -------------------------- |
| |
| We can create multiple bridge port groups and do filtering/NATting |
| between them, just like we can do that with ordinary network |
| interfaces. |
| |
| For example: on a quadport network card, dedicate two ports to a LAN |
| on which we have IP 10.16.0.254, and the other two ports to a LAN on |
| which we have IP 192.168.10.1 (this is an actual setup) |
| |
| # brctl addbr br_10 |
| # brctl addif br_10 eth0 |
| # brctl addif br_10 eth1 |
| # ifconfig br_10 10.16.0.254 |
| |
| # brctl addbr br_192 |
| # brctl addif br_192 eth2 |
| # brctl addif br_192 eth3 |
| # ifconfig br_192 192.168.10.1 |
| |
| You now have logical network interfaces br_10 and br_192, which will |
| act just like ordinary interfaces. The only difference is that they |
| each correspond to two physical network interfaces, but nobody cares |
| about that. |
| |
| So.. for example, if 192.168.10.2 is the only host on the 192.* |
| network that is allowed to access the 10.* network, we would do: |
| |
| ipchains -P forward REJECT |
| ipchains -A forward -s 192.168.10.2/32 -d 10.0.0.0/8 -i br_10 -j ACCEPT |
| |
| (just like you were used to). |
| |
| |
| |
| |
| |
| Hope this helped. If not, send a cry for help to the mailing list. |