Paul Howarth wrote:
Nigel Wade wrote:
Justin Willmert wrote:
I just set up a desktop with two network cards and have got a bridge
working between the two. That is not what my problem lies in though.
I would like for the box to be able to connect to the internet also,
but if I understand what I've set up correctly, I can't do that with
my current setup. When I've tried to give one of the network cards an
IP address, nothing but lo works, so I know there's something
missing. I'll add my configuration at the bottom, but shortly, br0 is
configured with an IP address, and eth0 and eth1 have none. Now, I
know br0 is capable of at least a network connection because as I
type this, I'm currently SSHed into into the box, but if I try to
ping anything, all the packets are lost.
What IP address are you ssh'ed into the box from? Can you ssh back to
that IP from the bridge machine? Might the ping issue be due to firewall
rules (e.g. blocking ICMP packets)?
OK, I thought I had my firewall set up correctly, because I had a
default policy to accept on the OUTPUT and FORWARD chains so I never
thought that'd be a problem, but when I shut it off, it does work. So
now I guess my question would be, what special rules do I need to create
to allow this bridge setup to work with a firewall? Here is my firewall
script.
===================== setup-firewall-rules =====================
#!/bin/sh
# Delete all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Setup policies
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
# Always trust the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Enable packet forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Allow already opened connections
# (Only need INPUT right now 'cause it's the only one with DROP policy)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept SSH connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Accept VNC connections
iptables -A INPUT -p tcp --dport 5801 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 5901 -m state --state NEW -j ACCEPT
OK, so here are some of my thoughts and possible hints to a solution:
1) My routing tables need another route, so I just figure out how
to configure that and add a route.
2) br0, eth0, and eth1 are incapable of an internet connection, in
which case I need to create a virtual interface that can connect as
if it were a separate interface that does the internet connecting.
br0 is the network interface of the system. eth0 and eth1 are part of
a bridge and therefore completely transparent in the network.
Correct.
===================== output of `route` =====================
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
192.168.2.0 * 255.255.255.0 U 0 0
0 br0
169.254.0.0 * 255.255.0.0 U 0 0
0 br0
127.0.0.0 * 255.0.0.0 U 0 0
0 lo
===== 10 second or so delay here =====
default 192.168.2.2 0.0.0.0 UG 0 0
0 br0
You haven't set a netmask on the default route. It should be
255.255.255.0 to match the network segment.
A netmask of 0.0.0.0 is normal for the default route.
Paul.
The 10 second pause in the ouput also has to do with the firewall. When
I shut down the firewall, it shows up immediately.
Thanks for the help guys,
Justin
