1Hello everybody, 2 3Although there is a man page which documents most of the actual 4commands, there is still a 'gap' concerning what bridges are, and how 5to set them up. This document attempts to fill this gap. 6 7In fact, this document is a 15-min hack, so feel free to {complain 8about,improve on} it. Especially if this document (or the FAQ) does 9not tell you what you want to know; I would consider that to be a bug. 10 11 12Have fun! 13Lennert Buytenhek 14 15 16<================= CUT HERE AND DAMAGE YOUR SCREEN =================> 17 18 19 201. The basics 21------------- 22 23What does a bridge actually do? In plain English, a bridge connects 24two or more different physical ethernets together to form one large 25(logical) ethernet. The physical ethernets being connected together 26correspond to network interfaces in your linux box. The bigger 27(logical) ethernet corresponds to a virtual network interface in linux 28(often called br0, br1, br2, etc.) 29 30Let's say we want to tie eth0 and eth1 together, turning those 31networks into one larger network. What do we do? Well, we need to 32create an instance of the bridge first. 33 34 # brctl addbr br0 35 36(You can check that this gives you a network interface called br0.) 37Now we want to enslave eth0 and eth1 to this bridge. 38 39 # brctl addif br0 eth0 40 # brctl addif br0 eth1 41 42And now... because we connected the two ethernets together, they now 43form one large subnet. We are actually only on only one subnet, namely 44br0. We can forget about the fact that br0 is actually eth[01] in 45disguise; we will only deal with br0 from now on. Because we are only 46on one subnet, we only need one IP address for the bridge. This 47address we assign to br0. eth0 and eth1 should not have IP addresses 48allocated to them. 49 50 # ifconfig eth0 0.0.0.0 51 # ifconfig eth1 0.0.0.0 52 # ifconfig br0 my.ip.address.here 53 54The last command also puts the interface br0 into the 'up' state. This 55will activate the forwarding of packets, which in plain English means 56that from that point on, eth0 and eth1 will be 'joined' 57together. Hosts on eth0 should 'see' hosts on eth1 and vice versa. 58 59The bridge will also (automatically) activate the Spanning Tree 60Protocol: this is a network protocol spoken by switches for (roughly 61speaking) calculating the shortest distances and eliminating loops in 62the topology of the network. You can disable the stp if you really 63want/need to; see brctl(8) for details. 64 65 66 672. More complicated setups 68-------------------------- 69 70We can create multiple bridge port groups and do filtering/NATting 71between them, just like we can do that with ordinary network 72interfaces. 73 74For example: on a quadport network card, dedicate two ports to a LAN 75on which we have IP 10.16.0.254, and the other two ports to a LAN on 76which we have IP 192.168.10.1 (this is an actual setup) 77 78 # brctl addbr br_10 79 # brctl addif br_10 eth0 80 # brctl addif br_10 eth1 81 # ifconfig br_10 10.16.0.254 82 83 # brctl addbr br_192 84 # brctl addif br_192 eth2 85 # brctl addif br_192 eth3 86 # ifconfig br_192 192.168.10.1 87 88You now have logical network interfaces br_10 and br_192, which will 89act just like ordinary interfaces. The only difference is that they 90each correspond to two physical network interfaces, but nobody cares 91about that. 92 93So.. for example, if 192.168.10.2 is the only host on the 192.* 94network that is allowed to access the 10.* network, we would do: 95 96ipchains -P forward REJECT 97ipchains -A forward -s 192.168.10.2/32 -d 10.0.0.0/8 -i br_10 -j ACCEPT 98 99(just like you were used to). 100 101 102 103 104 105Hope this helped. If not, send a cry for help to the mailing list. 106