Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
info:hosting:basics:bridging [2018/01/09 10:40] Thibmo |
info:hosting:basics:bridging [2018/01/10 12:00] Thibmo |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Bridging Basics ====== | ====== Bridging Basics ====== | ||
| {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | ||
| + | For certain cases one might wish to create bridged network interfaces.\\ | ||
| + | A great example would be when hosting containerized environments and VMs.\\ | ||
| + | The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM. | ||
| + | |||
| + | <WRAP center round important> | ||
| + | To follow this example you are required to login as user root.\\ | ||
| + | If you don't have the password of the root user you can use __//sudo//__ instead. | ||
| + | </WRAP> | ||
| + | |||
| + | ===== Setup ===== | ||
| + | **Debian/Ubuntu:**\\ | ||
| + | There is only one step to the installation: <code bash>apt-get update; apt-get upgrade -y; apt-get install bridge-utils</code> | ||
| + | |||
| + | ===== Interface (Bridge) creation ===== | ||
| + | **Debian/Ubuntu:** | ||
| + | - Edit your interface configuration file: <code bash>nano /etc/network/interfaces</code> | ||
| + | - Append the configuration with the following: <code bash>auto bridge0 | ||
| + | iface bridge0 inet static | ||
| + | bridge_ports none | ||
| + | bridge_fd 0 | ||
| + | bridge_maxwait 0 | ||
| + | address <Interface IP address, like 192.168.10.1> | ||
| + | netmask <Subnet mask, like 255.255.255.0></code> | ||
| + | |||
| + | ===== NAT setup ===== | ||
| + | **Debian/Ubuntu:**\\ | ||
| + | You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER. | ||
| + | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
| + | - Modify the FILTER table:\\ From<code bash>*filter | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :INPUT DROP [0:0] | ||
| + | :OUTPUT ACCEPT [0:0]</code>To<code bash>*filter | ||
| + | :FORWARD DROP [0:0] | ||
| + | :INPUT DROP [0:0] | ||
| + | :OUTPUT ACCEPT [0:0]</code> | ||
| + | - Append the FILTER table with the following rules: <code bash># Forward bridge0 > eth0 | ||
| + | -A FORWARD -i bridge0 -o eth0 -j ACCEPT | ||
| + | # Forward eth0 > bridge0 | ||
| + | -A FORWARD -i eth0 -o bridge0 -j ACCEPT | ||
| + | # Forward bridge0 > bridge0 | ||
| + | -A FORWARD -i bridge0 -o bridge0 -j ACCEPT</code> | ||
| + | - Append the NAT table with the following rule: | ||
| + | - For static public IP: <code bash># Default SNAT eth0 | ||
| + | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address> | ||
| + | </code> | ||
| + | - For dynamic public IP: <code bash># Default SNAT eth0 | ||
| + | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE | ||
| + | </code> | ||
| + | |||
| + | To add a port-forward rule, use the following template: <code bash># DNAT for HTTP | ||
| + | -A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80 | ||
| + | </code> | ||
