| Tobias DiPasquale on 20 Dec 2004 12:19:34 -0000 |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Dec 20, 2004, at 12:08 AM, Ron Mansolino wrote: So how do I do this with Linux? and what does FAQ mean? :) What should I search for (or avoid)? thanks
Bridging will require using the ebtables software and possibly patching/recompiling your kernel. See http://bridge.sourceforge.net/ for more details (caveat: I don't have much experience with this type of bridging on Linux, so I will therefore favor the latter option; read on...). Pseudo-bridging is the simpler of the two. All you will need is a Linux box with two network interfaces and to be running a 2.4 kernel or greater. Let's assume for this that eth0 is the external interface and eth1 is the internal: 1. Configure both interfaces with the same IP and network information. 2. Set the default route for the machine to the default router for the network, going out eth0 (if its not already). 3. For each box that will exist behind the pseudo-bridge, install a host route for it destined for eth1 (e.g. if there is a 10.0.0.2 behind it, ip route add 10.0.0.2 dev eth1). These routes exist solely to tell ProxyARP what to do. 4. Then, turn on ProxyARP on both interfaces: echo 1 > /proc/sys/net/conf/ipv4/eth[01]/proxy_arp 5. Finally, turn on IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward With the pseudo-bridge, regular iptables rules can be applied for traffic passing through (which is not the case when using the real bridging software), and the box itself will show up on a traceroute (which can be really handy). As well, all the steps above are easily consolidated into a single rc script (is using Debian, you can put them in the existing /etc/network/interfaces using "up" rules). A couple things: all hosts that exist behind the pseudo-bridge must have host routes pointed at the internal interface. If one is not, it will appear to be dead to the external world. Also, when setting this up, its best to only plug one interface in when configuring it, and only plug the second in once you're sure you have everything correct (because of the potential to blackhole machines behind the pseudo-bridge). For more information on ProxyARP and related topics on Linux, hit LARTC: http://lartc.org/howto/lartc.bridging.html - -- Tobias DiPasquale 7A79 308C 0354 EA9C 7807 ED83 03C9 9E01 148E 7D01 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (Darwin) iD8DBQFBxsNSA8meARSOfQERAg46AJwL990uf0f9WojG6hlMfuol6FLBbACgiLNk +kP9wSU4Wl0BkVPXlkWpiqM= =GLB/ -----END PGP SIGNATURE----- ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|