Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
info:hosting:basics:bridging [2018/01/09 17:11] Thibmo |
info:hosting:basics:bridging [2018/01/10 12:04] Thibmo |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | ||
| For certain cases one might wish to create bridged network interfaces.\\ | For certain cases one might wish to create bridged network interfaces.\\ | ||
| - | A great example would be when hosting containerized environments and VMs. | + | A great example would be when hosting containerized environments and VMs.\\ |
| + | The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM. | ||
| + | |||
| + | For information about more common bridging and NATing, please check resources like:\\ | ||
| + | * [[http://linux-training.be/networking/ch14.html|linux-training.be]] | ||
| + | * [[https://wiki.debian.org/BridgeNetworkConnections|wiki.debian.org]] | ||
| + | * [[http://www.microhowto.info/howto/bridge_traffic_between_two_or_more_ethernet_interfaces_on_linux.html|microhowto.info]] | ||
| <WRAP center round important> | <WRAP center round important> | ||
| Line 23: | Line 29: | ||
| address <Interface IP address, like 192.168.10.1> | address <Interface IP address, like 192.168.10.1> | ||
| netmask <Subnet mask, like 255.255.255.0></code> | netmask <Subnet mask, like 255.255.255.0></code> | ||
| + | |||
| + | ===== NAT setup ===== | ||
| + | **Debian/Ubuntu:**\\ | ||
| + | You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER. | ||
| + | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
| + | - Modify the FILTER table:\\ From<code bash>*filter | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :INPUT DROP [0:0] | ||
| + | :OUTPUT ACCEPT [0:0]</code>To<code bash>*filter | ||
| + | :FORWARD DROP [0:0] | ||
| + | :INPUT DROP [0:0] | ||
| + | :OUTPUT ACCEPT [0:0]</code> | ||
| + | - Append the FILTER table with the following rules: <code bash># Forward bridge0 > eth0 | ||
| + | -A FORWARD -i bridge0 -o eth0 -j ACCEPT | ||
| + | # Forward eth0 > bridge0 | ||
| + | -A FORWARD -i eth0 -o bridge0 -j ACCEPT | ||
| + | # Forward bridge0 > bridge0 | ||
| + | -A FORWARD -i bridge0 -o bridge0 -j ACCEPT</code> | ||
| + | - Append the NAT table with the following rule: | ||
| + | - For static public IP: <code bash># Default SNAT eth0 | ||
| + | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address> | ||
| + | </code> | ||
| + | - For dynamic public IP: <code bash># Default SNAT eth0 | ||
| + | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE | ||
| + | </code> | ||
| + | |||
| + | To add a port-forward rule, use the following template: <code bash># DNAT for HTTP | ||
| + | -A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80 | ||
| + | </code> | ||
