Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
info:hosting:basics:bridging [2018/01/09 17:11] Thibmo |
info:hosting:basics:bridging [2018/01/10 12:04] Thibmo |
||
---|---|---|---|
Line 2: | Line 2: | ||
{{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | ||
For certain cases one might wish to create bridged network interfaces.\\ | For certain cases one might wish to create bridged network interfaces.\\ | ||
- | A great example would be when hosting containerized environments and VMs. | + | A great example would be when hosting containerized environments and VMs.\\ |
+ | The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM. | ||
+ | |||
+ | For information about more common bridging and NATing, please check resources like:\\ | ||
+ | * [[http://linux-training.be/networking/ch14.html|linux-training.be]] | ||
+ | * [[https://wiki.debian.org/BridgeNetworkConnections|wiki.debian.org]] | ||
+ | * [[http://www.microhowto.info/howto/bridge_traffic_between_two_or_more_ethernet_interfaces_on_linux.html|microhowto.info]] | ||
<WRAP center round important> | <WRAP center round important> | ||
Line 23: | Line 29: | ||
address <Interface IP address, like 192.168.10.1> | address <Interface IP address, like 192.168.10.1> | ||
netmask <Subnet mask, like 255.255.255.0></code> | netmask <Subnet mask, like 255.255.255.0></code> | ||
+ | |||
+ | ===== NAT setup ===== | ||
+ | **Debian/Ubuntu:**\\ | ||
+ | You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER. | ||
+ | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
+ | - Modify the FILTER table:\\ From<code bash>*filter | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :INPUT DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0]</code>To<code bash>*filter | ||
+ | :FORWARD DROP [0:0] | ||
+ | :INPUT DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0]</code> | ||
+ | - Append the FILTER table with the following rules: <code bash># Forward bridge0 > eth0 | ||
+ | -A FORWARD -i bridge0 -o eth0 -j ACCEPT | ||
+ | # Forward eth0 > bridge0 | ||
+ | -A FORWARD -i eth0 -o bridge0 -j ACCEPT | ||
+ | # Forward bridge0 > bridge0 | ||
+ | -A FORWARD -i bridge0 -o bridge0 -j ACCEPT</code> | ||
+ | - Append the NAT table with the following rule: | ||
+ | - For static public IP: <code bash># Default SNAT eth0 | ||
+ | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address> | ||
+ | </code> | ||
+ | - For dynamic public IP: <code bash># Default SNAT eth0 | ||
+ | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE | ||
+ | </code> | ||
+ | |||
+ | To add a port-forward rule, use the following template: <code bash># DNAT for HTTP | ||
+ | -A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80 | ||
+ | </code> | ||