Web Analytics
Privacy Policy Cookie Policy Terms and Conditions Ethernet Bridge + netfilter Howto: Set Linux up to serve Next Previous Contents

3. Set Linux up to serve

3.1 Setting up the bridge

We need Linux to know about the bridge. First tell it that we want one virtual ethernet bridge interface: (this is to be executed on host bridge, of course. See Testing grounds)

root@bridge:~> brctl addbr br0
        
Second, we do not need the STP (Spanning Tree Protocol). I.e. we do only have one single router, so a loop is highly improbable. We may then deactivate this feature. (Results in less polluted networking environment, too):
root@bridge:~> brctl stp br0 off
        
After these preparations, we now do finally some effective commands. We add our two (or even more) physical ethernet interfaces. That means, we attach them to the just born logical (virtual) bridge interface br0.
root@bridge:~> brctl addif br0 eth0
root@bridge:~> brctl addif br0 eth1
        
Important Note:

People sent me emails that it would have helped them if I stressed more clearly the risk of being cut off. So listen at this point to my warnings:
If you read this, you are one (small) step before you _might_ cut yourself off your box you are going to subverse to a bridging device.
If you love living on bleeding edges, it is now the instant to prepare your first aid material. You will likely need it.
If you do not have physical access, nor does another person within your range:
DO NOT PROCEED UNLESS YOUR FINGERS LEFT THE KEYBOARD IN FRONT OF YOU AND YOUR EYES FIXED REFLECTIVELY SOMETHING OTHER THAN YOUR CONSOLE.
You have been warned, now. No responsability is assumed for anything at all.

Now, our two previously physical ethernet interfaces became a logical bridge port each. Erm, ok, there were and will be the physical devices. They are still there, go have a look ;-) But now they became part of the logical bridge device and therefore need no IP configuration any longer. So release the IPs:
root@bridge:~> ifconfig eth0 down
root@bridge:~> ifconfig eth1 down
root@bridge:~> ifconfig eth0 0.0.0.0 up
root@bridge:~> ifconfig eth1 0.0.0.0 up
        
Great! We now have a box w/o any IP attached. So if you were configuring your future fw/router via TP, go for your local console now ;-)) You have a serial console? Happy one :-)
Optional:

We tell Linux the new (logical) interface and associate one single IP with it:

root@bridge:~> ifconfig br0 10.0.3.129 up
        

And we're done.
Read the Important Note!

3.2 Setting up the routing

In case we are configuring a gateway we enable the forwarding in the linux kernel.

root@bridge:~> echo "1" > /proc/sys/net/ipv4/ip_forward
        
Our box already has an IP assigned but no default route. We solve this now:
root@bridge:~> route add default gw 10.0.3.129
        
Finally, we should have a working net from, to and through the gateway.

3.3 Make it happen again!

Aka: We need the changes to persist reboots.
To do so, you need some sh-style script and put this in the appropriate system boot-up directory: /etc/init.d/
Secondly, you create the link in your runlevel directory. The correct directory depends on your gusto and of course on your linux distribution. Common runlevel values on workstations are 2, 3 and 5. Examples are: /etc/rc?.d/ (replace the ? with the right runlevel)
Also, you need an idea as when your network interfaces are torn up. For now, we assume, your network interfaces are activated at system priority S so we need not to care of. If you ever should feel the need to know exactly, look in /etc/rcS.d/. We just want the bridge to be up and operable as soon as possible and so chose our priority to be 10. (Make sure, no service requiring bridging devices is started before, read: with priority-values less than 10)
For now, we assume, your runlevel is 5:

root@bridge:~> mv -i bridge.sh /etc/init.d/
root@bridge:~> cd /etc/rc5.d/
root@bridge:~> ln -s ../init.d/bridge.sh S10bridge.sh
        
Virtually any distribution provides you with some runlevel-checker or equivalent tool that assists you in the tedious job of administering runlevel links. Consult your distro-documentation on this.
Hint: debian has update-rc.d, redhat and successors have chkconfig. Finally, SuSE evidentally has also it's own tool, too (of which I don't recall the name easily..).
Wondering about the contents of bridge.sh? ;-)
#!/bin/bash
PATH="/sbin:/usr/sbin:/usr/local/sbin";
slaveIfs="1 2 3 4 6 7 8 9 10";
cmd="$1";
[ -z "$cmd" ] && cmd="start";
case "$cmd" in
  start)
    brctl addbr br0;
    brctl stp br0 on;
    brctl addif br0 eth0;
    brctl addif br0 eth1;
    (ifdown eth0 1>/dev/null 2>&1;);
    (ifdown eth1 1>/dev/null 2>&1;);
    ifconfig eth0 0.0.0.0 up;
    ifconfig eth1 0.0.0.0 up;
    ifconfig br0 10.0.3.129 broadcast 10.0.3.255 netmask 255.255.255.0 up ### Adapt to your needs.
    route add default gw 10.0.3.129; ### Adapt to your needs.
    for file in br0 eth0 eth1;
    do
      echo "1" > /proc/sys/net/ipv4/conf/${file}/proxy_arp;
      echo "1" > /proc/sys/net/ipv4/conf/${file}/forwarding;
    done;
    echo "1" > /proc/sys/net/ipv4/ip_forward;
    ;;
  stop)
    brctl delif br0 eth0;
    brctl delif br0 eth1;
    ifconfig br0 down;
    brctl delbr br0;
    #ifup eth0; ### Adapt to your needs.
    #ifup eth1; ### Adapt to your needs.
    ;;
  restart,reload)
    $0 stop;
    sleep 3;
    $0 start;
    ;;
esac;
        
And, yes, make it executable..
root@bridge:~> chmod 700 /etc/init.d/bridge.sh
        
After all, make sure your bridge survives unattended reboots. It's the same story as with backups: you should test it before you need it.


Next Previous Contents