Linux Bridge over ethernet - linux

I have eth0 (Dhcp running). I want to create bridge over eth0 without losing N/w on eth0.
I have tried following
brctl addbr br0
brctl addif br0 eth1
Is it possible to create Bridge (br0 here) without losing n/w on interface (eth0)

You can create a route with iptables :
su -
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

How to Setup Linux Bridge
The standard configuration should consist of:
Create the bridge interface.
root#ubuntu-1:~ # brctl addbr br0
Add existing interfaces to the bridge.
root#ubuntu-1:~ # brctl addif br0 eth0
root#ubuntu-1:~ # brctl addif br0 eth1
Zero IP the interfaces.
root#ubuntu-1:~ # ifconfig eth0 0.0.0.0
root#ubuntu-1:~ # ifconfig eth1 0.0.0.0
Put up the bridge.
root#ubuntu-1:~ # ifconfig br0 up
Optionally you can configure the virtual interface br0 to take part in your network. To behaves like one interface (i.e a normal network card).
root#ubuntu-1:~ # ifconfig br0 192.168.0.1 netmask 255.255.255.0 up
To learn visit How to Setup bridge network for KVM

Related

ipset hash: net, iface does not work. When add physical interface ethx to the bridge

**Network topology**
PC1<------->eth1:LINUX(PC3):eth2<------>PC2
PC1 ping PC2 , Via PC3
As follows:
brctl addbr br1
brctl addif br eth1
brctl addif br eth2
IPset:
ipset create szone hash:net,iface
ipset add szone 0/0,physdev:eth1
ipset create dzone hash:net,iface
ipset add szone 0/0,physdev:eth2
Iptables:
iptables -t filter -A FORWARD -m set --match-set szone src,src -m set --match-set dzone dst,dst -j DROP
And then,in fact, iptabels rule not work.why? and I have loaded br_netfilter.ko

Attempting to setup static IP block with ATT Uverse and IP Passthrough to ASUS router

I am trying to accomplish the following setup:
NVG599 <> ASUS RT-AC88U <> Static device
I have an Ubuntu Server running Apache which has been configured to use an internal address 192.x.x.x as well as one of the static IP addresses. I know Apache is running / listening / working. If I browse to the internal address I get the default Apache page. Ubuntu firewall is disabled. I actually have a domain setup that points to this IP address 'http://thelavender.net'
Normally the ATT RG would handle the second subnet / static IP block. What I cannot figure out is how the ASUS would handle these now that its basically taking over all routing duties.
There is a cascading router option in the ATT RG and I have seen some people talking about using this instead. Is this correct?
EDIT
Thinking back, I think 1:1 NAT is what I really need here correct?
EDIT 2
I tried using something along the lines of this:
#!/bin/sh
#
# to restore this configuration, it needs to be saved to /jffs/scripts/nat-start
# on the router.
#
ifconfig eth0:0 WanIP1 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i eth0 -d WanIP1 -j DNAT --to-destination 192.168.1.10
iptables -t nat -I POSTROUTING -s 192.168.1.10 -j SNAT --to WanIP1
#
ifconfig eth0:1 WanIP2 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i eth0 -d WanIP2 -j DNAT --to-destination 192.168.1.11
iptables -t nat -I POSTROUTING -s 192.168.1.11 -j SNAT --to WanIP2
#
ifconfig eth0:2 WanIP3 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i eth0 -d WanIP3 -j DNAT --to-destination 192.168.1.12
iptables -t nat -I POSTROUTING -s 192.168.1.12 -j SNAT --to WanIP3
#
# Port forwards, in case the webui doesn't work, but i think it will. uncomment below if needed.
# iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.10 -j ACCEPT
I only tried the first group and put this in the nat-start script for Merlin to pick up. When I did this and restarted the router, it refused to pick up the WAN IP from the RG.
Any help with this would be appreciated.
EDIT
Voted down but no explanation as to why.
NVG599 LAN address: 192.168.0.254 / 255.255.255.0
RT-AC88U WAN address: 192.168.0.1 / 255.255.255.0
RT-AC88U LAN address: 192.168.1.1 / 255.255.255.0
NVG599 Cascaded Router: Enabled
Cascaded Router Address: 192.168.0.1
Network Address: 107.218.164.224
Subnet Mask: 255.255.255.248
Server: 192.168.1.10 and 107.218.164.225
Startup script for the router:
#!/bin/sh
#
# tell it where to find the server
ip ro add 107.218.164.225/32 via 192.168.1.10
iptables -I POSTROUTING -t nat -s 107.218.164.225/32 -j RETURN
#
# servers 2-N go here
......
#
# catch-all for everything else on the LAN
#
# this will double-NAT everything and will end up using the NVG's dynamic IP which is outside of the static IP block
##iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to 192.168.0.1
#
# this uses one of the public IPs
iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to 107.218.164.230
And script for the server if need be
#!/bin/sh
#
ifconfig eth0:1 107.218.164.225/29
ip ro repl default via 192.168.1.1 src 107.218.164.225

Filtre layer 2 multicast packet

I tried to filter layer 2 multicast packet (no IP header) generated by GOOSE protocol.
The commands below are used (ebtable and iptables) but did not work. Can anyone please give some advice?
I used ebtables because i readed that iptables can't open packet who dont have ip header (layer 3 minimum). The packet were sent from machine A to machine B (client/server software).
a. ebtables -A INPUT -j DROP
ebtables -A OUTPUT -j DROP
b. iptables -A INPUT -m pkttype --pky-type multicast -j DROP
iptables -A OUTPUT -m pkttype --pky-type multicast -j DROP
I tried all the commands above, but i can't stop my multicast packet (DROP was just used for test purpose)
Thank you in advanced...
For the one's who are in the same probleme in the future, i manage to resolve the probleme, first, you should now that iptables can't filter protocole who don't use ip header, so in my case, my protocole is layer 2 (like arp), the best tool for that is ebtables.
The DROP test that i already realise didn't work because i used ebatbles in a normale inerface, and this is a probleme for ebtables, he don't accept it, you should configure an bridge interface before using ebtables.
This the command i typed to creat bridge:
brctl addbr br0
brctl stp br0 off
brctl addif br0 eno16777736
ifconfig br0 10.0.0.131 netmask 255.255.255.0
ifconfig eno16777736 0 0.0.0.0
ip route add default via 10.0.0.1
ebtables -t broute -A BROUTING -j DROP
Hop this will help some one in the future

how to route 2 Nics with 2 public IP on same subnet running with same gateway

I'm newbie in networking field. I have trouble with my web server Network configuration (OS is Centos).
I have 2 NICs (eth0 + eth2 - physically) running 2 public IP which have the same subnet, same gateway.
When I configure nginx to listen on these 2 NICs, everything works just fine. But when I monitor the traffic, all traffic is on the eth0 only, nothing on eth2.
My question is: How can I configure so that traffic goes in a NIC, go out on that NIC, too?
This is my ethernet card config:
DEVICE="eth0"
ONBOOT=yes
BOOTPROTO=static
IPADDR=x.x.x.38
PREFIX=27
GATEWAY=x.x.x.x.33
DNS1=8.8.8.8
DNS2=8.8.4.4
NAME="System eth0"
DEVICE="eth2"
ONBOOT=yes
BOOTPROTO=static
IPADDR=x.x.x.39
PREFIX=27
GATEWAY=x.x.x.33
DNS1=8.8.8.8
DNS2=8.8.4.4
NAME="System eth2"
This is my route -n result
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.14.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
y.z.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
y.z.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
y.z.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 eth2
0.0.0.0 x.x.x.33 0.0.0.0 UG 0 0 0 eth0
Hope you can help, thanks in advanced!
In Linux, routing is performed by looking at the destination address only, so a packet will follow whichever route can be used to reach the packet's destination, with no regard to the source address.
The behaviour you want requires choosing a route depending not only on the destination address, but also on the source address — this is sometimes called source-sensitive routing or SADR (source-address dependent routing). The most portable way of implementing source-sensitive routing under Linux is to define routing rules across multiple routing tables using the ip rule and ip route ... table ... commands.
This is described in detail in Section 4 of the Linux Advanced Routing and Traffic Control HOWTO
Probably, the problem can be solved even with NAT.
ip tuntap add dev tap0 mode tap
ip tuntap add dev tap1 mode tap
Then you can assign separate ip addresses to these devices:
ifconfig tap0 10.10.10.1 netmask 255.255.255.255
ifconfig tap1 10.10.10.2 netmask 255.255.255.255
And finally - redirect incoming traffic to specific virtual device
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.10.10.1
iptables -t nat -A PREROUTING -i eth2 -j DNAT --to-destination 10.10.10.2
In this case, all traffic will be routed definetely to the interface it came from.

networking is not working on qemu guest (Malta Mips)

I am trying to configure networking on QEMU malta mips, which is running on vmware host (ubuntu) using tap/tun device and bridge interface. My qemu guest is unable to retrieve ip address from DHCP server. If i give it manually, it can just connect with its host. Using tcpdump i came to know that outgoing traffic is working perfectly but incoming is not working.
Can anyone suggest me how to solve this kind of issue?
Thank You
If you use NAT mode, then your host machine will act as a router for your guest VM. This means you must enable routing on your host.
Assuming you start qemu and link it to tap0 interface and your outgoing internet interface is eth0, then you should:
Create the tap0 virtual interface:
tunctl -t tap0
ifconfig tap0 192.168.0.1 netmask 255.255.255.0 up
Activate routing
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Create forwarding rules, where
# tap0 - virtual interface
# eth0 - net connected interface
iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Start your VM with somenthing like this:
qemu [..] -net nic,model=e1000,vlan=0 -net tap,ifname=tap0,vlan=0,script=no
In your VM, configure an interface with ip 192.168.0.2/24 and default gateway 192.168.0.1
In NAT mode you can't achieve this. You need to configure VM in bridge mode and I hope you know the steps to configure it; if not see the link here ;
Step #2 of catalin.me's answer could be even simpler:
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
First two iptables rules are needed only in case if default policy for FORWARD chain is DROP.
E.g.:
iptables -P FORWARD DROP

Resources