Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
info:hosting:basics:bridging [2018/01/09 10:40] Thibmo |
info:hosting:basics:bridging [2018/01/10 12:04] (current) Thibmo |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Bridging Basics ====== | ====== Bridging Basics ====== | ||
{{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | {{page>:disclaimer_widget&noheader&nofooter&noeditbtn}} | ||
+ | For certain cases one might wish to create bridged network interfaces.\\ | ||
+ | A great example would be when hosting containerized environments and VMs.\\ | ||
+ | The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM. | ||
+ | |||
+ | For information about more common bridging and NATing, please check resources like:\\ | ||
+ | * [[http://linux-training.be/networking/ch14.html|linux-training.be]] | ||
+ | * [[https://wiki.debian.org/BridgeNetworkConnections|wiki.debian.org]] | ||
+ | * [[http://www.microhowto.info/howto/bridge_traffic_between_two_or_more_ethernet_interfaces_on_linux.html|microhowto.info]] | ||
+ | |||
+ | <WRAP center round important> | ||
+ | To follow this example you are required to login as user root.\\ | ||
+ | If you don't have the password of the root user you can use __//sudo//__ instead. | ||
+ | </WRAP> | ||
+ | |||
+ | ===== Setup ===== | ||
+ | **Debian/Ubuntu:**\\ | ||
+ | There is only one step to the installation: <code bash>apt-get update; apt-get upgrade -y; apt-get install bridge-utils</code> | ||
+ | |||
+ | ===== Interface (Bridge) creation ===== | ||
+ | **Debian/Ubuntu:** | ||
+ | - Edit your interface configuration file: <code bash>nano /etc/network/interfaces</code> | ||
+ | - Append the configuration with the following: <code bash>auto bridge0 | ||
+ | iface bridge0 inet static | ||
+ | bridge_ports none | ||
+ | bridge_fd 0 | ||
+ | bridge_maxwait 0 | ||
+ | address <Interface IP address, like 192.168.10.1> | ||
+ | netmask <Subnet mask, like 255.255.255.0></code> | ||
+ | |||
+ | ===== NAT setup ===== | ||
+ | **Debian/Ubuntu:**\\ | ||
+ | You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER. | ||
+ | - Edit your firewall configuration file: <code bash>nano /etc/iptables.up.rules</code> | ||
+ | - Modify the FILTER table:\\ From<code bash>*filter | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :INPUT DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0]</code>To<code bash>*filter | ||
+ | :FORWARD DROP [0:0] | ||
+ | :INPUT DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0]</code> | ||
+ | - Append the FILTER table with the following rules: <code bash># Forward bridge0 > eth0 | ||
+ | -A FORWARD -i bridge0 -o eth0 -j ACCEPT | ||
+ | # Forward eth0 > bridge0 | ||
+ | -A FORWARD -i eth0 -o bridge0 -j ACCEPT | ||
+ | # Forward bridge0 > bridge0 | ||
+ | -A FORWARD -i bridge0 -o bridge0 -j ACCEPT</code> | ||
+ | - Append the NAT table with the following rule: | ||
+ | - For static public IP: <code bash># Default SNAT eth0 | ||
+ | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address> | ||
+ | </code> | ||
+ | - For dynamic public IP: <code bash># Default SNAT eth0 | ||
+ | -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE | ||
+ | </code> | ||
+ | |||
+ | To add a port-forward rule, use the following template: <code bash># DNAT for HTTP | ||
+ | -A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80 | ||
+ | </code> | ||