# Bridging network interfaces?

## reaz82

here is an interesting project.. 

i have already implemented this in windows..

however linux is going to be a slight prob..

i have 2 ethernet cards on my computer.. 

i also have a laptop.. using a crossover cable

i can connect my computer to my laptop..

this connection occupies one of my ethernet cards..

the other ethernet card will receive a connection 

from my router.. so basically i want to bridge these

2 cards...

i once did it in slackware.. however i ended up supplying

internet to my laptop and not my computer.. which was 

weird.. however i am addicted to gentoo at this point

so i want to know how i can get around to doing this ..

thank you in advance

----------

## KraziKid

I wouldn't necessarily "bridge" the connections (this makes two physical network cards, behave as one card).  Instead, I would use iptables, and MASQUERADE the card going to the laptop, to the card that connects to your router.

----------

## acidreign

I wonder if anyone else has had success in actually "bridging" and allowing the machine to have an IP.  I would love to run a transparent proxy and snort on a bridge that I administer.  But I can't give any of the NIC's an IP or the bridge fails.

Maybe i'm missing something.

----------

## ronmon

reaz82,

I use bridging on my router box (Gentoo/Shorewall), but only to put my ethernet and 802.11b on the same subnet to simplify things. It's really not what you are looking for.

Windows 'Internet Connection Sharing' is IP Masquerading, as KraziKid points out. Basically, you can make everything under Networking Options > Network packet filtering as modules (skipping the experimental and ipchains stuff), then grab a helper app from /usr/portage/net-firewall. There are several to choose from and can make setting things up much easier.

acidreign,

You can't give each device an IP because they become one virtual device (i.e. br0) and that gets the IP. Can't you run your proxy on the bridge?

----------

## reaz82

That's a lot of info.. thank you all..

in windows i do not use internet connection sharing .. instead i use

network bridging.. that way my laptop gets a separate internal ip..

and so does my computer.. 

i was wondering if i could do the same for linux..

according to you guys bridging might not be a good idea..

in that case can any give me step by step details of how to 

masquerade and what applications will suit my purpose best..

thank you very much

----------

## Kap

It's not hard at all

```
ifconfig eth0 0.0.0.0 promisc up

ifconfig eth1 0.0.0.0 promisc up

brctl addbr mybridge

ifconfig mybridge x.x.x.x netmask y.y.y.y up

brctl addif mybridge eth0

brctl addif mybridge eth1
```

done!

the point to remember is that you have to put both ethernet ports up but without IP numbers, the ip number goes to the bridge; and then add the interfaces to the bridge

--

Kz

----------

## BlackBart

tldp.org

----------

## reaz82

as i mentioned already.. i have bridged in linux.. it did not work out well.. so i am looking for instructions to masquerade my ip.. i am not looking for the howto because it is filled with unnecesary details.. however providing a bit more than tldp.org would be helpful as a link.. i have already read those howtos.. they arent too helpful.. outdated according to me.. 

someone had mentioned using a firewall from net-firewall collection to implement ip masquerading.. i'd like to know more about that.. 

thank you

i'll try bridging once again.. in the mean time i want to know more about ip masquerading.. btw which one would be a more efficient and better solution for my case? i am looking for an analysis.. 

thanx

----------

## reaz82

 *Kap wrote:*   

> It's not hard at all
> 
> ```
> ifconfig eth0 0.0.0.0 promisc up
> 
> ...

 

and to add to this post.. which is correct but if you are on dhcp router then you have to use dhcp to get the bridge up..

for example 

ifconfig br0 promisc up

dhcpcd br0

and that should get both computers accessing the net..

thanx

----------

## acidreign

The bridge is currently working, and working fine with iptables, filtering out connections, keeping state, its all good.

The problem is that I cant assign the bridge an IP.  The second I do, things  seem to break.  I tried in both 2.2 and 2.4.18 - 2.4.20.  This bridge has been in operation for about a year and a half now, and seems to be going

well.

What I would like to do is put some services on the bridge, and set it up as a transparent proxy, and perhaps allow me to admin the machine remotely, at the moment its local console only.  

I shall try this again, but because this machine is used in a production environment it cant be tested during business hours.

----------

## wolf31o2

I bridge cannot have an IP address on the same interface that is being used to bridge.  Try adding a third NIC, which you can assign an IP address.

----------

## OdinsDream

Isn't the request actually IP Masquerading?

In any case, here's the iptables ruleset I'm using to provide internet connectivity to both my desktop and laptop, the desktop having two nics, and a single public IP address:

http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Masquerading-Simple-HOWTO.html

----------

## reaz82

thank you very much.. 

i'll give this a try too.. btw i have the network bridge thing working..

however i'll try ipmasquerading..

can anyone tell me the pros and cons of both?

thank you

EDIT: i also want to clarify what you can do and what you can not do in bridging.. i have been tinkering with this for a month now and i can safely say that when you are bridging interfaces you can assign ips to the interfaces to the interfaces.. choosing not to assign ips is a security issue.. i bridged with ips and without and in both cases i achieved success.. keep in mind that the bridge will use an ip for itself.. 

now even if you do not assign an ip to an interface the machine using that interface will seek and achieve an ip.. however the other machines will not know of this.. for eg.. 

i have 2 network ifaces on my desktop.. when i bridge i provided the bridge with an ip using dhcpcd br0 (br0 is my bridge)

however both my ifaces are 0.0.0.0 and in promisc mode.. now when i sit on my laptop and get it working i noticed it has an ip address.. i also tried providing my desktop and ip and it continues to work even though the bridge has a different ip!

i hope i have confused you all enough..  :Wink: 

take care

----------

## Jesu

Windows XP Network Bridging is equivalent to Proxy ARP routing on linux, not to bridging. It's a question of levels. Linux bridging copies the raw ethernet frames which appear on either side to the other side, without looking at them at all. Thus, the linux box only needs IP address, because the two adapters are merged into one big one. 

However, this doesn't work if the two sides have different raw ethernet standards - eg. 802.3 Ethernet and 802.11b Wireless Ethernet. So, Proxy ARP uses two seperate IP addresses for two interfaces, and you instruct it which IPs are on which interface. Then, for any packet which appears on one side (eg. eth0), if the machine recognises the IP as one of those on the other side (eg. eth1) it claims to be that machine, and passes it on through the other network layer. Because it's bridging at the IP layer, it cuts across different ethernet protocols. This is what Win XP does when it says 'Network Bridge'.

If you want any more info, just ask.

Jesu

----------

## reaz82

 *Jesu wrote:*   

> Windows XP Network Bridging is equivalent to Proxy ARP routing on linux, not to bridging. It's a question of levels. Linux bridging copies the raw ethernet frames which appear on either side to the other side, without looking at them at all. Thus, the linux box only needs IP address, because the two adapters are merged into one big one. 
> 
> However, this doesn't work if the two sides have different raw ethernet standards - eg. 802.3 Ethernet and 802.11b Wireless Ethernet. So, Proxy ARP uses two seperate IP addresses for two interfaces, and you instruct it which IPs are on which interface. Then, for any packet which appears on one side (eg. eth0), if the machine recognises the IP as one of those on the other side (eg. eth1) it claims to be that machine, and passes it on through the other network layer. Because it's bridging at the IP layer, it cuts across different ethernet protocols. This is what Win XP does when it says 'Network Bridge'.
> 
> If you want any more info, just ask.
> ...

 

very informative.. thank you for sharing..  :Smile: 

----------

