Iptables – bridge, vlan and internet access. How

bridgeiptablesubuntu-12.04vlan

I'm trying to setup a working connection between my local network and the internet.
First I setup a bridge (br0, has an IP address where the other interfaces don't) between eth0 (LAN) and eth1 (internet), and created a nat rule in iptables to masquerade the source ip of the local ip's in the LAN.
Everything works great and I can access the internet from subnet 192.168.1.0.

Now I want to create two vlan's: 100 and 200.
I tried using vconfig to create eth0.100 and eth0.200 but I can't figure out how to connect them the internet. Packets from my local LAN arrived tagged with vlan Id 100/200 and the traffic goes through to eth1. But how can I make the packets return to the right eth0.x?

I thought about creating two bridges, one for vlan 100 and one for 200 and connect them to eth1. But again, how do I route the packets received from the internet to arrive to the right bridge?

The current setting:

eth0 <–> br0 <–> eth1

proposed:

eth0.100 <–> br100 <–> eth1

eth0.200 <–> br200 <–> eth1

eth0.100 & eth0.200 <–> br0 <–> eth1

Best Answer

You need to route the traffic from the LAN to WAN.

This is done by a router, not a bridge, so it should look like this :

eth0 (192.168.1.0/24) <==> eth1 (Public Internet)

For the vlans 100 and 200, how to route the traffic to the correct VLAN ? By creating different subnet for each VLAN, so your host knows which vlan is the correct output interface, so it should look like this now :

eth0.100 (192.168.100.0/24) <==> eth1 (Public Internet)

eth0.200 (192.168.200.0/24) <==> eth1 (Public Internet)

Remeber the NAT for both cases:

iptables -I POSTROUTING -t nat -o eth1 -j MASQUERADE

Related Solutions

Linux – NAT and two bridges

The MASQUERADE target is a bit "magic" as it uses the IP set up on the output interface to source-nat the traffic.

You could use the SNAT target with the public IP address in parameter :

iptables -t nat -A POSTROUTING -o br0 --to-source W.X.Y.Z -j SNAT

I you want to use the MASQUERADE target (if your public IP changes for example), you should put the rule on the interface where the public address is setup, eth0 :

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Brctl bridge forwarding packets to promiscuous interfaces

According to it's design, the Linux bridge acts exactly like a plain NWay Ethernet Switch. It keeps it's own ARP/MAC Address Table, and forwards packets according to this table. So Multicast and ARP, as in a plain network switch, go out to every port regardless what their origin is.

In order to prevent this behavior, you should set up a firewall, not using iptables, which takes care of Layer 3+ in OSI Model, but ebtables which takes care of Layer 2 traffic.

Assuming you are on a Debian/Debian based distro you could execute:

apt-get install ebtables

apt-get install arptables

For aditional documentation execute:

man 8 ebtables

Here is a short example of using ebtables for multicast:

ebtables -A FORWARD -o eth0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o eth0 --pkttype-type multicast -j DROP
ebtables -A FORWARD -o eth1 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o eth1 --pkttype-type multicast -j DROP

As a good starting point for learnig ebtables, which actually copies iptables syntax, here is the official documentation: http://ebtables.sourceforge.net/documentation/docs.html

Best Answer

Related Solutions

Linux – NAT and two bridges

Brctl bridge forwarding packets to promiscuous interfaces

Related Topic