This is an old revision of the document!
Bridging Basics
For certain cases one might wish to create bridged network interfaces.
A great example would be when hosting containerized environments and VMs.
The following examples will cover a rather rarely explained case of bridging. Which is very specific to container hosts/hypervisors like LXC and KVM.
To follow this example you are required to login as user root.
If you don't have the password of the root user you can use sudo instead.
Setup
Debian/Ubuntu:
There is only one step to the installation:
apt-get update; apt-get upgrade -y; apt-get install bridge-utils
Interface (Bridge) creation
Debian/Ubuntu:
- Edit your interface configuration file:
nano /etc/network/interfaces
- Append the configuration with the following:
auto bridge0 iface bridge0 inet static bridge_ports none bridge_fd 0 bridge_maxwait 0 address <Interface IP address, like 192.168.10.1> netmask <Subnet mask, like 255.255.255.0>
NAT setup
Debian/Ubuntu:
You need to keep in mind that after setting a NAT rule for a specific port you don't have to set any FILTER rule for this port, as NAT is processed before FILTER.
- Edit your firewall configuration file:
nano /etc/iptables.up.rules
- Modify the FILTER table:
From*filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0]
To
*filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0]
- Append the FILTER table with the following rules:
# Forward bridge0 > eth0 -A FORWARD -i bridge0 -o eth0 -j ACCEPT # Forward eth0 > bridge0 -A FORWARD -i eth0 -o bridge0 -j ACCEPT # Forward bridge0 > bridge0 -A FORWARD -i bridge0 -o bridge0 -j ACCEPT
- Append the NAT table with the following rule:
- For static public IP:
# Default SNAT eth0 -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j SNAT --to-source <Host main IP address>
- For dynamic public IP:
# Default SNAT eth0 -A POSTROUTING -s <Interface IP network, like 192.168.10.0>/<Subnet, like 24> -j MASQUERADE
To add a port-forward rule, use the following template:
# DNAT for HTTP -A PREROUTING -p tcp -m tcp -d <Host main IP address> --dport 80 -j DNAT --to-destination <Container/VM IP address, like 192.168.10.2>:80