====== Bridging Basics ======
{{page>:disclaimer_widget&noheader&nofooter&noeditbtn}}
For certain cases one might wish to create bridged network interfaces.\\
A great example would be when hosting containerized environments and VMs.\\
The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM.

For information about more common bridging and NATing, please check resources like:\\
  * [[http://linux-training.be/networking/ch14.html|linux-training.be]]
  * [[https://wiki.debian.org/BridgeNetworkConnections|wiki.debian.org]]
  * [[http://www.microhowto.info/howto/bridge_traffic_between_two_or_more_ethernet_interfaces_on_linux.html|microhowto.info]]

<WRAP center round important>
To follow this example you are required to login as user root.\\
If you don't have the password of the root user you can use __//sudo//__ instead.
</WRAP>

===== Setup =====
**Debian/Ubuntu:**\\
There is only one step to the installation: <code bash>apt-get update; apt-get upgrade -y; apt-get install bridge-utils</code>

===== Interface (Bridge) creation =====
**Debian/Ubuntu:**
  - Edit your interface configuration file: <code bash>nano /etc/network/interfaces</code>
  - Append the configuration with the following: <code bash>auto bridge0
iface bridge0 inet static
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0
        address <Interface IP address, like 192.168.10.1>
        netmask <Subnet mask, like 255.255.255.0></code>

===== NAT setup =====
**Debian/Ubuntu:**\\
You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER.
  - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code>
  - Modify the FILTER table:\\ From<code bash>*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]</code>To<code bash>*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]</code>
  - Append the FILTER table with the following rules: <code bash># Forward bridge0 > eth0
-A FORWARD -i bridge0 -o eth0 -j ACCEPT
# Forward eth0 > bridge0
-A FORWARD -i eth0 -o bridge0 -j ACCEPT
# Forward bridge0 > bridge0
-A FORWARD -i bridge0 -o bridge0 -j ACCEPT</code>
  - Append the NAT table with the following rule:
    - For static public IP: <code bash># Default SNAT eth0
-A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address>
</code>
    - For dynamic public IP: <code bash># Default SNAT eth0
-A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE
</code>

To add a port-forward rule, use the following template: <code bash># DNAT for HTTP
-A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80
</code>