Linux as a router and/or bridge

Linux as a router and/or bridge

[J S]

Linux people,

I'm trying to understand how to set up a Linux system as a router.  For
example, assume I have an interface with IP address 192.168.0.1(eth0)
and another with IP address 192.168.1.1(eth1).  What do I need to do to
allow traffic received on one interface to be automatically forwarded
out of the other interface?  To extend the example, assume eth0 receives
a packet from 192.168.0.25 that is destined for 192.168.2.40.  What is
the minimal set of steps I need to perform in order to get my kernel to
send that packet on its way?

Second question, what exactly is network bridging and how might I use it
instead of setting up a Linux system as a router?

Josh

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux as a router and/or bridge

[Ray Olszewski]

At 11:08 PM 5/29/2003 -0400, J S wrote:
>Linux people,
>
>I'm trying to understand how to set up a Linux system as a router.  For
>example, assume I have an interface with IP address 192.168.0.1(eth0)
>and another with IP address 192.168.1.1(eth1).  What do I need to do to
>allow traffic received on one interface to be automatically forwarded
>out of the other interface?  To extend the example, assume eth0 receives
>a packet from 192.168.0.25 that is destined for 192.168.2.40.  What is
>the minimal set of steps I need to perform in order to get my kernel to
>send that packet on its way?

Assuming your routing table is set up correctly (that is, that the Linux 
host itself can communicate with both networks), all you need to do on the 
Linux host is

         echo '1' > /proc/sys/net/ipv4/ip_forward

You do need IP dforwarding compiled into the kernel, but I believe 
off-the-shelf kernel images normally include it.

Hosts on the two LANs need to know that the Linux host is their route to 
the other network, information needed in *their* routing tables ... the 
router's interface on each network needs to be identified either as the 
route to the other network or as the default route for all non-local IP 
addresses.

But that's not part of the Linux router's configuration ... it's required 
for your assumption to hold ("assume eth0 receives a packet from 
192.168.0.25 that is destined for 192.168.2.40", since if  192.168.0.25 
doesn't know that 192.168.0.1 is its route to, probably, 192.168.2.0/24, 
then the router's eth0 interface will never receive the packet).

There is a lot more to routing than this, but you asked for a minial set of 
steps, and this is the simplest routing setup I can think of.

>Second question, what exactly is network bridging and how might I use it
>instead of setting up a Linux system as a router?

Routing takes place at the network layer (IP addresses). Bridging takes 
place at the link layer (in this example, since the interfaces are eth*, 
that would be Ethernet MAC addresses). Linux can bridge as well as route, 
but it's been so long since I used it that way that I cannot rattle off 
even the basics in an e-mail message.

To learn more, I suggest you look at one of the router/firewall specialized 
Linux distros, like LEAF (leaf.sourceforge.net) or get a good book (I like 
Mancill's _Linux Routers_, 2e, published by Prentice-Hall).



-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux as a router and/or bridge

[John T. Williams]

if you look up
NAT
masq
and iptables

you'll find all the information you need

A good place to start is
http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/

Sincerely,
John T. Williams
jtwilliams@vt.edu


----- Original Message ----- 
From: "J S" <webnews@comcast.net>
To: "linux-newbie" <linux-newbie@vger.kernel.org>
Sent: Thursday, May 29, 2003 11:08 PM
Subject: Linux as a router and/or bridge


> Linux people,
>
> I'm trying to understand how to set up a Linux system as a router.  For
> example, assume I have an interface with IP address 192.168.0.1(eth0)
> and another with IP address 192.168.1.1(eth1).  What do I need to do to
> allow traffic received on one interface to be automatically forwarded
> out of the other interface?  To extend the example, assume eth0 receives
> a packet from 192.168.0.25 that is destined for 192.168.2.40.  What is
> the minimal set of steps I need to perform in order to get my kernel to
> send that packet on its way?
>
> Second question, what exactly is network bridging and how might I use it
> instead of setting up a Linux system as a router?
>
> Josh
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.linux-learn.org/faqs

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs

Re: Linux as a router and/or bridge

[Stephen Samuel]

J S wrote:
> out of the other interface?  To extend the example, assume eth0 receives
> a packet from 192.168.0.25 that is destined for 192.168.2.40.  What is
> the minimal set of steps I need to perform in order to get my kernel to
> send that packet on its way?

on an ad-hock basis, the answer of
   echo 1 > /proc/sys/net/ipv4/ip_forward

   sysctl.conf:net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
   (note the double greater than on this one.. You want to append it)
   sysctl.conf works on RedHat. it may work on other distributions too.

   man sysctl.conf to see if you have it on your distro.
> 
> Second question, what exactly is network bridging and how might I use it
> instead of setting up a Linux system as a router?

bridging is used to connect two networks in a transparent manner.
With bridging, the two 'networks' would normally have the same
subnet, and the bridge would essentially act like a switching hub.
traffic that between two machines on the same side of the
bridge will not normally go to the other side, other traffic will
to through as if the bridge is a slow piece of wire. For each
packet that gets retransmitted, the card is actually programmed
to the ethernet MAC address of the original originator of the
packet.

Unlike routers, bridges do NOT show up in a traceroute

The main reason to use a UNIX (linux) instead of a hub is
that it allows you to do  filtering. Usually this is security
related, but you can also use it more actively to simulate
various network conditions (but OpenBSD has a better set of
tools for doing that, right now).

If you have a bridging hub where none of the ethernet cards
has it's own IP address, then the machine will be unreachable
on those networks -- essentially invisible.If you're using it
for security reasons, this makes it that much harder for an
intruder to break into.



Note that bridging and routing can coexist.  I've set up a
system (OpenBSD, in this case) with three interfaces as follows
(names and addresses changed for simplicity)

eth1   external link   64.35.83.88
ext2   internal, bridged to outside
eth3   internal routed link 10.35.44.1

To do that, I had to give eth1 and eth3 IP addresses  and turn
on forwarding.  Eth3 did NOT need an IP address (since it's used
for bridging only)  In this case, the machines on the eth3 network
could talk to the router using it's address on eth1.

machines attached to eth3 would talk directly to our ISP's router.
(and have 64.35.83.XXX addresses) machines on the eth2 network
would use 10.35.44.1 as their default router and have 10.35.44.xxx
addresses.

(Some people might notice that 10.xx.xx.xx addresses are
non-routing and would thus need a NAT setup, but we can ignore
that for now (just presume that our ISP does the NAT work).)


-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.linux-learn.org/faqs