Bridged Network

This page shows setups of bridged networks. They can be used to setup virtual network interfaces for virtual machines or LXC containers. shorewall is used to setup iptables rules.

Installation

Install bridge-utils:

# apt-get install bridge-utils

Important Commands

Show bridge interfaces:

# brctl show

Simple Bridge

This setup can be used to connect multiple network interfaces. The bridge acts as a switch: each additional network interface is directly connected to the physical network.

Edit /etc/network/interfaces, remove eth0, add br0. For dynamic IP:

#auto eth0
#iface eth0 inet dhcp
auto br0
iface br0 inet dhcp
    bridge_ports eth0
    bridge_fd 0
    bridge_maxwait 0

For static IP:

auto br0
iface br0 inet static
  bridge_ports eth0
  bridge_fd 0
  bridge_maxwait 0
  address 192.168.0.101
  netmask 255.255.255.0
  network 192.168.0.0
  broadcast 192.168.0.255
  gateway 192.168.0.254

And restart the network:

# /etc/init.d/networking restart

Replace eth0 with br0 in your firewall, e.g. in /etc/shorewall/interfaces:

net     br0             detect          dhcp,tcpflags,logmartians,nosmurfs

And restart shorewall:

# /etc/init.d/shorwall restart

NAT

This setup can be used to hide private networks. Additional routing (DNAT, SNAT) is requried.

In /etc/network/interfaces:

auto brnat
iface brnat inet static
  address 10.10.10.254
  netmask 255.255.255.0
  bridge_stp off
  bridge_maxwait 5
  pre-up  /usr/sbin/brctl addbr brnat
  post-up /usr/sbin/brctl setfd brnat 0
  #post-up /sbin/iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
  #post-up echo 1 > /proc/sys/net/ipv4/ip_forward

And restart the network:

# /etc/init.d/networking restart

Or startup the interface manually:

# brctl addbr brnat
# brctl setfd brnat 0
# ifconfig brnat 10.10.10.254 netmask 255.255.255.0 up
# ip addr add 10.10.10.254/24 dev brnat
# ip link set brnat up
# iptables -t nat -A POSTROUTING -o brnat -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward

Now setup routing using shorewall.

Routed

This setup can be used to route public IPs to internal containers.

In /etc/network/interfaces:

auto eth0
iface eth0 inet static
  address 1.2.3.4
  netmask 255.255.255.0
  gateway 1.2.3.254

auto br0
iface br0 inet static
  address 1.2.3.4
  netmask 255.255.255.255
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  pre-up brctl addbr br0
  up ip route add 2.3.4.5/32 dev br0
  down ip route del 2.3.4.5/32 dev br0

The br0 interface uses the same main IP and adds routes for the additonal IPs.

Within the container the additional IP can be configured, default gateway is the IP of the host system.

auto eth0
iface eth0 inet static
  address 2.3.4.5
  netmask 255.255.255.255
  up ip route add 1.2.3.4 dev eth0
  up ip route add default via 1.2.3.4

Sources:

• http://www.shorewall.net/SimpleBridge.html
• http://wiki.debian.org/LXC/SimpleBridge
• http://www.vislab.uq.edu.au/howto/lxc/lxcnetwork.html