Forward packets from one interface to another?

Forward packets from one interface to another?

[Kārlis Repsons]

Hello,
maybe someone here can help with this problem: I have two NIC ports (for RJ45 
I mean) on my PC (pH) and it is necessary to attach another PC (pB) to the 
spare port similarly to like it was attached to switch. pB has static IPv4 
just like pH.
But. I want to do it with routing and iptables! Please, please, I have always 
failed using two interfaces, I would appreciate an example of how can I 
change it!

RE: Forward packets from one interface to another?

[Gilad Benjamini]

Your description is not very clear, but my guess is that you want to run a
bridge on this PC. "man brctl" is a good place to start.
Most distributions have an easy way to setup the bridge via the network
configuration files.

If you actually need to set your machine as a router that's a different
issue.

Regarding iptables, you will need rules on the FORWARD table to catch packet
travelling through the bridge.

> -----Original Message-----
> From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> owner@vger.kernel.org] On Behalf Of K?rlis Repsons
> Sent: Tuesday, February 03, 2009 9:54 AM
> To: netfilter
> Subject: Forward packets from one interface to another?
> 
> Hello,
> maybe someone here can help with this problem: I have two NIC ports
> (for RJ45
> I mean) on my PC (pH) and it is necessary to attach another PC (pB) to
> the
> spare port similarly to like it was attached to switch. pB has static
> IPv4
> just like pH.
> But. I want to do it with routing and iptables! Please, please, I have
> always
> failed using two interfaces, I would appreciate an example of how can I
> change it!
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Forward packets from one interface to another?

[Kārlis Repsons]

On Tuesday 03 February 2009 19:21:05 Gilad Benjamini wrote:
> Your description is not very clear, but my guess is that you want to run a
> bridge on this PC. "man brctl" is a good place to start.
It is all very simple: think of one computer with two RJ45 inputs, one 
connected to LAN, other to laptop, which needs access to LAN too. The problem 
is: I have only one cable to LAN and no extra switch.

Is that only bridging to use? I would like to set up routing for that, because 
it seams simple enough for me (and I want to see how it can be done), but it 
turns out not so in practice today :(
So do I have to use bridge in any case here?

> Most distributions have an easy way to setup the bridge via the network
> configuration files.
>
> If you actually need to set your machine as a router that's a different
> issue.
I am interested to set it up as a small router, yes. 

>
> Regarding iptables, you will need rules on the FORWARD table to catch
> packet travelling through the bridge.
>
> > -----Original Message-----
> > From: netfilter-owner@vger.kernel.org [mailto:netfilter-
> > owner@vger.kernel.org] On Behalf Of K?rlis Repsons
> > Sent: Tuesday, February 03, 2009 9:54 AM
> > To: netfilter
> > Subject: Forward packets from one interface to another?
> >
> > Hello,
> > maybe someone here can help with this problem: I have two NIC ports
> > (for RJ45
> > I mean) on my PC (pH) and it is necessary to attach another PC (pB) to
> > the
> > spare port similarly to like it was attached to switch. pB has static
> > IPv4
> > just like pH.
> > But. I want to do it with routing and iptables! Please, please, I have
> > always
> > failed using two interfaces, I would appreciate an example of how can I
> > change it!
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Forward packets from one interface to another?

[Gilad Benjamini]

> -----Original Message-----
> 
> On Tuesday 03 February 2009 19:21:05 Gilad Benjamini wrote:
> > Your description is not very clear, but my guess is that you want to
> run a
> > bridge on this PC. "man brctl" is a good place to start.
> It is all very simple: think of one computer with two RJ45 inputs, one
> connected to LAN, other to laptop, which needs access to LAN too. The
> problem
> is: I have only one cable to LAN and no extra switch.
> 

You say yourself that your problem is the lack of a switch; i.e. you want
your Linux machine to serve as the switch; i.e. you need a Linux bridge

Re: Forward packets from one interface to another?

[Kārlis Repsons]

On Tuesday 03 February 2009 19:49:22 you wrote:
> > -----Original Message-----
> >
> > On Tuesday 03 February 2009 19:21:05 Gilad Benjamini wrote:
> > > Your description is not very clear, but my guess is that you want to
> >
> > run a
> >
> > > bridge on this PC. "man brctl" is a good place to start.
> >
> > It is all very simple: think of one computer with two RJ45 inputs, one
> > connected to LAN, other to laptop, which needs access to LAN too. The
> > problem
> > is: I have only one cable to LAN and no extra switch.
>
> You say yourself that your problem is the lack of a switch; i.e. you want
> your Linux machine to serve as the switch; i.e. you need a Linux bridge

Well, most likely you are right and I will spend some more (but maybe not as 
much) time tomorrow to set up that bridge. I just want to know, if its 
absolutely necessary and there is no way to do routing / forwarding?

Re: Forward packets from one interface to another?

[bsilva]

You can use either routing/forwarding or bridging for this problem,
however, bridging is simpler in many ways.  If you use bridging, there is
are fewer impacts on the design of the rest of your network.  If you use
routing, then the router that connects the PC with two interfaces to the
Internet needs to know about the network on the other side of the PC
(in a small network this can be done by adding a static route).

So, in this example:

-----------                -----------                  -----------
| Router/ |                |   PC    |                  |   PC    |
| Firewall|.1    Net A  .10| with 2  |.10    Net B   .11| with 1  |
|   to    |----------------|  NICs   |------------------|  NIC    |
| Internet|  192.168.1.0   -----------   192.168.2.0    -----------
-----------
Each network is /24 (netmask of 255.255.255.0)

So, for this to work you need to do several things, the simplest is that
you need to assign each PC the appropriate addresses.

Firewall router:
Local network IP: 192.168.1.1 /24
Internet address is not given in this example, but is assumed to exist ;-)
Deafult gateway points to Internet.
Static route defining gateway to 192.168.2.0/24 via 192.168.1.10.

Router PC:
Net A NIC: 192.168.1.10 /24
Net B NIC: 192.168.2.10 /24
Default gateway: 192.168.1.1

Other PC:
NIC: 192.168.2.11 /24
Default Gateway: 192.168.2.10

Once configured, you will also need to turn on IPv4 forwarding in the
Linux box. The most universal way is to run this command:
"echo 1 > /proc/sys/net/ipv4/ip_forward"
Although most distributions have thier own method to configure IP
forwarding that persists across reboots.


I hope that helps.

Brad

On Tue, 3 Feb 2009, [windows-1257] Kârlis Repsons wrote:

> On Tuesday 03 February 2009 19:49:22 you wrote:
> > > -----Original Message-----
> > >
> > > On Tuesday 03 February 2009 19:21:05 Gilad Benjamini wrote:
> > > > Your description is not very clear, but my guess is that you want to
> > >
> > > run a
> > >
> > > > bridge on this PC. "man brctl" is a good place to start.
> > >
> > > It is all very simple: think of one computer with two RJ45 inputs, one
> > > connected to LAN, other to laptop, which needs access to LAN too. The
> > > problem
> > > is: I have only one cable to LAN and no extra switch.
> >
> > You say yourself that your problem is the lack of a switch; i.e. you want
> > your Linux machine to serve as the switch; i.e. you need a Linux bridge
>
> Well, most likely you are right and I will spend some more (but maybe not as
> much) time tomorrow to set up that bridge. I just want to know, if its
> absolutely necessary and there is no way to do routing / forwarding?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>

Re: Forward packets from one interface to another?

[Rick Jones]

> You say yourself that your problem is the lack of a switch; i.e. you want
> your Linux machine to serve as the switch; i.e. you need a Linux bridge

In other words, a "switch" is merely a multi-port bridge.

rick jones

RE: Forward packets from one interface to another?

[Gilad Benjamini]

> -----Original Message-----
> Well, most likely you are right and I will spend some more (but maybe
> not as
> much) time tomorrow to set up that bridge. I just want to know, if its
> absolutely necessary and there is no way to do routing / forwarding?
> --

There is definitely a way to do routing, but it's more complicated, and it
seems like a bridge (which is also a forwarding device) better suits your
needs.

Re: Forward packets from one interface to another?

[Rick Jones]

bsilva wrote:
> You can use either routing/forwarding or bridging for this problem,
> however, bridging is simpler in many ways.  If you use bridging, there is
> are fewer impacts on the design of the rest of your network.  If you use
> routing, then the router that connects the PC with two interfaces to the
> Internet needs to know about the network on the other side of the PC
> (in a small network this can be done by adding a static route).
> 
> So, in this example:
> 
> -----------                -----------                  -----------
> | Router/ |                |   PC    |                  |   PC    |
> | Firewall|.1    Net A  .10| with 2  |.10    Net B   .11| with 1  |
> |   to    |----------------|  NICs   |------------------|  NIC    |
> | Internet|  192.168.1.0   -----------   192.168.2.0    -----------
> -----------
> Each network is /24 (netmask of 255.255.255.0)
> 

If instead, you further subnettted 192.168.1 with a /25 on the PCs (but still a 
/24 on the router), the Router/Firewall wouldn't have to know about the other 
subnet.  It could just blythly ass-u-me that the end-PC was on the same network 
segment as the middle PC.  So long as the middle PC was configured with a static, 
public ARP entry for the IP of the end PC, and had ip_forwarding enabled, it 
would "front" for the end PC.

rickjones

Re: Forward packets from one interface to another?

[bsilva]

Yeah, but I find that's more complicated than adding a static route to the
upstream router.  The only time I would use that solution is if I didn't
have the ability to add a static route.


Brad


On Tue, 3 Feb 2009, Rick Jones wrote:

> bsilva wrote:
> > You can use either routing/forwarding or bridging for this problem,
> > however, bridging is simpler in many ways.  If you use bridging, there is
> > are fewer impacts on the design of the rest of your network.  If you use
> > routing, then the router that connects the PC with two interfaces to the
> > Internet needs to know about the network on the other side of the PC
> > (in a small network this can be done by adding a static route).
> >
> > So, in this example:
> >
> > -----------                -----------                  -----------
> > | Router/ |                |   PC    |                  |   PC    |
> > | Firewall|.1    Net A  .10| with 2  |.10    Net B   .11| with 1  |
> > |   to    |----------------|  NICs   |------------------|  NIC    |
> > | Internet|  192.168.1.0   -----------   192.168.2.0    -----------
> > -----------
> > Each network is /24 (netmask of 255.255.255.0)
> >
>
> If instead, you further subnettted 192.168.1 with a /25 on the PCs (but still a
> /24 on the router), the Router/Firewall wouldn't have to know about the other
> subnet.  It could just blythly ass-u-me that the end-PC was on the same network
> segment as the middle PC.  So long as the middle PC was configured with a static,
> public ARP entry for the IP of the end PC, and had ip_forwarding enabled, it
> would "front" for the end PC.
>
> rickjones
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>

Re: Forward packets from one interface to another?

[Mike Wright]

Rick Jones wrote:
> bsilva wrote:
> 
>> You can use either routing/forwarding or bridging for this problem,
> 
> If instead, you further subnettted 192.168.1 with a /25 on the PCs (but 
> still a /24 on the router), the Router/Firewall wouldn't have to know 
> about the other subnet.  It could just blythly ass-u-me that the end-PC 
> was on the same network segment as the middle PC.  So long as the middle 
> PC was configured with a static, public ARP entry for the IP of the end 
> PC, and had ip_forwarding enabled, it would "front" for the end PC.

Hi Rick,

That's a nice tip.

How does the middle PC setup the static, public ARP entry?  Arptables? 
Example?

Very curious about how this is done.

tia,
Mike Wright :m)

Re: Forward packets from one interface to another?

[Rick Jones]

Mike Wright wrote:
> How does the middle PC setup the static, public ARP entry?  Arptables? 
> Example?

Being an old Unix Luddite :) I would presume some variation on an arp -s command.

rick jones

Re: Forward packets from one interface to another?

[Pascal Hambourg]

Hello,

Mike Wright a écrit :
> Rick Jones wrote:
>>
>> If instead, you further subnettted 192.168.1 with a /25 on the PCs 
>> (but still a /24 on the router), the Router/Firewall wouldn't have to 
>> know about the other subnet.  It could just blythly ass-u-me that the 
>> end-PC was on the same network segment as the middle PC.  So long as 
>> the middle PC was configured with a static, public ARP entry for the 
>> IP of the end PC, and had ip_forwarding enabled, it would "front" for 
>> the end PC.
> 
> How does the middle PC setup the static, public ARP entry?

By enabling proxy ARP on the interface connected to net A in your 
diagram (/proc/sys/net/ipv4/<interface>/proxy_arp).

However you might have trouble if your applications rely on broadcast 
packets which cannot be forwarded by routers.