Bridging Basics

Keep in mind that we will NOT be responsible for any damages caused by the following the guides and information given in ANY of our articles.
The information provided should always be assumed as possibly flawed, and thus one should always think and adapt the information to their own requirements before implementing anything into their production environment.

Full disclaimer

For certain cases one might wish to create bridged network interfaces.
A great example would be when hosting containerized environments and VMs.
The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM.

For information about more common bridging and NATing, please check resources like:

To follow this example you are required to login as user root.
If you don't have the password of the root user you can use sudo instead.

Setup

Debian/Ubuntu:
There is only one step to the installation: 

apt-get update; apt-get upgrade -y; apt-get install bridge-utils

Interface (Bridge) creation

Debian/Ubuntu:

  1. Edit your interface configuration file: 
    nano /etc/network/interfaces
  2. Append the configuration with the following: 
    auto bridge0
iface bridge0 inet static
        bridge_ports none
        bridge_fd 0
        bridge_maxwait 0
        address <Interface IP address, like 192.168.10.1>
        netmask <Subnet mask, like 255.255.255.0>

NAT setup

Debian/Ubuntu:
You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER.

  1. Edit your firewall configuration file: 
    nano /etc/iptables.up.rules
  2. Modify the FILTER table:
    From
    *filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]

    To 

    *filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
  3. Append the FILTER table with the following rules: 
    # Forward bridge0 > eth0
-A FORWARD -i bridge0 -o eth0 -j ACCEPT
# Forward eth0 > bridge0
-A FORWARD -i eth0 -o bridge0 -j ACCEPT
# Forward bridge0 > bridge0
-A FORWARD -i bridge0 -o bridge0 -j ACCEPT
  4. Append the NAT table with the following rule:
    1. For static public IP: 
      # Default SNAT eth0
-A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address>
    2. For dynamic public IP: 
      # Default SNAT eth0
-A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE

To add a port-forward rule, use the following template: 

# DNAT for HTTP
-A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80