Home

Services

Our Rates

Our Policies

Contact Us

Tech Pages

About ADL

HOT DEALS

 

Other Information

Current Infocon Status

Tips and Tricks

Some Valuable Tips & Tricks

NOTE: Nothing on this particular page is guaranteed to work in every case. The Tips & Tricks provided herein have worked for me personally in the past but are in no way provided as a total solution to any particular problem. ADL Datacomm will not be held responsible for any malfunction after implementing any of these suggestions. These ideas are provided without liability and with no guarantee expressed or implied. Although we have used each one of these, they are supplied as 'use at your own risk' suggestions only.

Ethernet Bridging with Linux

NOTE: This paper was written to help users configure a fully transparent Ethernet Bridge using a few readily available tools. This configuration was installed and tested on Red Hat 9 kernel 2.4.20-31.9

What you’ll need

• A bridging kernel (2.4.18 or greater). You also need to make sure that bridge-utils and bridge-utils-devel are installed. These packages can usually be found on your favorite distribution disks.

• Two network interfaces

• A computer running Linux

Next we need to configure the kernel

The following elements are what make your kernel a bridging kernel. This may not be necessary but we need to check.

You may use your favorite configuration utility like make xconfig or make menuconfig. Load your current configuration file. The following configuration settings should be active.

1. Under ‘Code maturity level options'
   1. Prompt for development and/or incomplete code/drivers
2. Under ‘Loadable module support’
   1. Enable loadable module support
   2. Set version information on all module symbols
   3. Kernel module loader
3. Under ‘Networking Options’
   1. Network packet filtering
   2. Network packet filtering debugging
   3. 802.1d Ethernet Bridging

NOTE: If all of the above items where already in chosen, then your kernel is already set up for bridging and you can skip to the “Time to build a bridge” section.

 

If you had to choose any of the above items then we need to do a successful

make dep clean bzImage modules modules_install

from the /usr/src/linux-2.4 directory

 

NOTE: There appears to be a problem with the /drivers/pci/Makefile During a make it fails and returns the error

devlist.h no such file or directory

It looks like there have been attempts made to fix it. However it still didn’t work for me. The reference, which I found to this, by Pavel Roskin, was posted to the insecure.org linux-kernel list and may be viewed at http://seclists.org/lists/linux-kernel/2003/Mar/0414.html. I could not find a workaround for this problem on my Red Hat 9 system.

Time to build a bridge

The tool we use, brctl, was installed with the bridge-utils package mentioned above. If you were unable to locate this on your distribution disk a substitution product, ebtables, can be obtained from http://bridge.sourceforge.net

Interface Preparation

IP address: Don’t get confused. None of you interfaces should be configured at all. If they are your network interface configuration scripts should be changed to look something like this.

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=
NETMASK=
USERCTL=no
TYPE=Ethernet

 

If you’re not familiar with the network scripts on your particular system you can achieve this by doing

root@bridge> ifconfig eth0 down
root@bridge> ifconfig eth1 down
root@bridge> ifconfig eth0 0.0.0.0 up
root@bridge> ifconfig eth1 0.0.0.0 up

Ok, now we build

You may type brctl with no options to see a full list of options

root@bridge> brctl addbr br0 <<< This creates a bridge called br0
root@bridge> brctl addif br0 eth0 <<< This adds eth0 to the bridge br0
root@bridge> brctl addif br0 eth1 <<< This adds eth1 to the bridge br0

 

We need to turn on IP forwarding.

root@bridge> echo “1” > /proc/sys/net/ipv4/ip_forward

 

Unless this is a multihomed routing device, turn off Spanning Tree

root@bridge> brctl stp off

 

Now we bring the bridging interface up by creating a virtual interface.

root@bridge> ifconfig br0 up

 

You do NOT want to set up any routing unless you’re building a firewall / gateway. This document is only for transparent bridging and NOT routing or firewalling. However once the bridge is working you may use your choice if IPTABLES rules to filter traffic.

That’s it

Checking our work

Now you can take a look at

root@bridge> brctl show
bridge name	bridge id	STP enabled		interfaces
br0		8000.005056c00001	no		eth0
							eth1

AND

root@bridge> ifconfig

br0       Link encap:Ethernet  HWaddr 00:04:75:81:D2:1D
    	  inet addr:10.0.3.129  Bcast:10.0.3.255 Mask:255.255.255.128
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:826 errors:0 dropped:0 overruns:0 frame:0
          TX packets:737 errors:0 dropped:0 overruns:0 carrier:0 collisions:0
          txqueuelen:0
          RX bytes:161180(157.4 Kb)TX bytes:66708 (65.1 Kb)

eth0      Link encap:Ethernet  HWaddr 00:04:75:81:ED:B7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5729 errors:0 dropped:0 overruns:0frame:0
     	  TX packets:3115 errors:0 dropped:0 overruns:0 carrier:656 
		  collisions:0 txqueuelen:100
          RX bytes:1922290 (1.8 Mb) TX bytes:298837 (291.8 Kb)
          Interrupt:11 Base address:0xe400

eth1      Link encap:Ethernet  HWaddr 00:04:75:81:D2:1D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:1 frame:0
          TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
		  collisions:0 txqueuelen:100
          RX bytes:342 (342.0 b)TX bytes:48379 (47.2 Kb)
          Interrupt:7 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1034 errors:0 dropped:0 overruns:0frame:0
          TX packets:1034 errors:0 dropped:0 overruns:0 carrier:0
		  collisions:0 txqueuelen:0
          RX bytes:82068 (80.1 Kb)TX bytes:82068 (80.1 Kb)

TIP: I created a small script called 'bridge' to put this all together on boot. It looks like this.

#!/bin/sh

#Here we create the bridge, add the interfaces eth0 and eth1 to the bridge and turn off spanning tree

brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl stp off

# We activate IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# Bring up the bridging interface
ifconfig br0 up

# Then I use tcpdump to capture the traffic.

tcpdump -n not arp not port 53 and not port 67 and not port 68 and not port 110 -C 1,000,000 -w /var/log/capture

 

NOTE: I'm not capturing arp, a waste of time. Or port 53 (DNS) it's just noise right? Or port 67 and 68 (BOOTP). Or port 110 (pop3) this will grab all you're clear text passwords which you probably don't want to have laying around.

You may have other reasons to capture some of these or not capture some others but this is what's working for me.

There is also a "real" init script by (djweisATinternetsolver.com ) from Internet Solver located at http://www.sjdjweis.com/linux/bridging/bridge

 

 

Outsourcing | LAN / WAN Solutions | Network Security | Network Analysis | Consulting

Copyright © Web Spun Designs 2004