|
When all of the software is loaded and you are logged in as root you can setup the bridge. The command brctl is the basic bridge command that sets up the software. First create the bridge ( brctl addbr br0), then add the two network cards to the bridge (brctl addif br0 eth0 brctl addif br0 eth1), then add the network configuration to the bridge (ifconfig br0 192.168.7.119 netmask 255.255.255.0 up), add the defautl gateway (route add default gw 192.168.7.2 dev br0), setup both nics in promisc mode (ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisch up) and turn off the Spanning Tree Protocol ( brctl stp br0 off).
Lesson 6 / Lesson 8
Be sure to forward traffic:
echo “1” > /proc/sys/net/ipv4/ip_forward
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig br0 192.168.7.119 netmask 255.255.255.0 up
route add default gw 192.168.7.2 dev br0
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl stp br0 off
If you have one router, you do not need to worry about Spanning Tree Protocol, avoiding a loop. When there are multiple connections between switches loops can occur on the network. Loops are when a frame goes around and around on the network, decreasing your bandwidth. To stop network loops the STP (Spanning Tree Protocol) is used.
The Spanning Tree Protocol (STP) is created so that only one path exists between any pair of LAN segments. It was developed to prevent routing loops in network. Loops can happen when there is more than one route to a destination. Bridges by default are not capable of handling more than one route to a destination address. STP is used on a bridge, it is either placed into a forwarding state or a blocking state. Forwarding are considered part of the spanning tree while those in the blocking state are not.
This example shows the bridge br0 is setup with two network cards. The bridge has an IP Address but the cards only have MAC addresses listed.
br0 Link encap:Ethernet HWaddr 00:30:48:43:3F:1E
inet addr:192.168.7.119 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fe43:3f1e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:260 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:22388 (21.8 KiB) TX bytes:378 (378.0 b)
eth0 Link encap:Ethernet HWaddr 00:30:48:43:3F:1E
inet6 addr: fe80::230:48ff:fe43:3f1e/64 Scope:Link
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Base address:0xa000 Memory:ec000000-ec020000
eth1 Link encap:Ethernet HWaddr 00:30:48:43:3F:1F
inet6 addr: fe80::230:48ff:fe43:3f1f/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:15595 errors:0 dropped:0 overruns:0 frame:0
TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1849948 (1.7 MiB) TX bytes:1038 (1.0 KiB)
Base address:0xa400 Memory:ec020000-ec040000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1527 errors:0 dropped:0 overruns:0 frame:0
TX packets:1527 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1739024 (1.6 MiB) TX bytes:1739024 (1.6 MiB)
Ebtables Script
You will want to run a script when the server starts so that it will set up your bridge. This script does not do any filtering of MAC addresses but depends on the iptables firewall for control.
################################################
#!/bin/bash
# Ebtables transparent firewall script
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ifconfig br0 192.168.7.119 netmask 255.255.255.0 up
/usr/sbin/brctl stp br0 off
/sbin/route add default gw 192.168.7.2dev br0
/sbin/ifconfig eth1 0.0.0.0 promisc up
/sbin/ifconfig eth2 0.0.0.0 promisc up
echo "1" > /proc/sys/net/ipv4/ip_forward
# DEFAULT POLICY
ebtables -P INPUT DROP
ebtables -P OUTPUT DROP
ebtables -P FORWARD DROP
# FLUSH TABLES
ebtables -F FORWARD
# Forward Arp and IPv4 Traffic
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p ARP -j ACCEPT
ebtables -A FORWARD --log-level info --log-ip --log-prefix EBFW
###############################################
One issue that you need to solve is to run startup scripts so that you do not have to run rc.ebtables and rc.firewall by hand. Make sure you have these scripts written correctly and then edit the /etc/rc.local file. This file will run after all of the initialization scripts have run so you can safely put your two scripts in this file. Look at the exmaple below and you will see that the scripts are entered with the proper path one line at a time.
################################################
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
sh /etc/rc.ebtables
sh /etc/rc.firewall
################################################
Save the file then restart your server. Once it is restarted then go to the command line and type:
brctl show
You should see that you have an active bridge.
Test The Setup
In order to test the setup, use the showmacs command to see it the bridge is beginning to collect MAC addresses. In the example, the two local addresses are the MAC addresses of the bridge and you can see that it is collecting several other addresses that are not local. This tells you that the bridge is connected and passing packets.
brctl showmacs br0
port no mac addr is local? ageing timer
2 00:03:76:3f:49:81 no 110.14
2 00:11:65:1c:db:8e no 40.55
1 00:40:33:e2:09:73 yes 0.00
2 00:40:23:e2:09:eb yes 0.00
|
