Bridging Basics

Keep in mind that we will NOT be responsible for any damages caused by the following the guides and information given in ANY of our articles.
The information provided should always be assumed as possibly flawed, and thus one should always think and adapt the information to their own requirements before implementing anything into their production environment.

Full disclaimer

For certain cases one might wish to create bridged network interfaces.
A great example would be when hosting containerized environments and VMs.
The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM.

For information about more common bridging and NATing, please check resources like:

To follow this example you are required to login as user root.
If you don't have the password of the root user you can use sudo instead.

There is only one step to the installation:

apt-get update; apt-get upgrade -y; apt-get install bridge-utils


  1. Edit your interface configuration file:
    nano /etc/network/interfaces
  2. Append the configuration with the following:
    auto bridge0
    iface bridge0 inet static
            bridge_ports none
            bridge_fd 0
            bridge_maxwait 0
            address <Interface IP address, like>
            netmask <Subnet mask, like>

You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER.

  1. Edit your firewall configuration file:
    nano /etc/iptables.up.rules
  2. Modify the FILTER table:
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]


    :FORWARD DROP [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
  3. Append the FILTER table with the following rules:
    # Forward bridge0 > eth0
    -A FORWARD -i bridge0 -o eth0 -j ACCEPT
    # Forward eth0 > bridge0
    -A FORWARD -i eth0 -o bridge0 -j ACCEPT
    # Forward bridge0 > bridge0
    -A FORWARD -i bridge0 -o bridge0 -j ACCEPT
  4. Append the NAT table with the following rule:
    1. For static public IP:
      # Default SNAT eth0
      -A POSTROUTING -s <Interface IP network, like>/<Subnet, like 24> -j SNAT --to-source <Host main IP address>
    2. For dynamic public IP:
      # Default SNAT eth0
      -A POSTROUTING -s <Interface IP network, like>/<Subnet, like 24> -j MASQUERADE

To add a port-forward rule, use the following template:

-A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like>:80