I have a bridge set up between my physical Ethernet interface, eth0, and the virtual interface for OpenVPN, tap0. The bridge has an IP address, and the machine can be contacted on that IP address from either interface. However, I don’t know what to configure to get traffic flowing across the bridge, between the interfaces.
Is net.ipv4.ip_forward = 1 necessary to set for bridging, or is it just a setting required for routing?
How should I configure the FORWARD chain in iptables? Ideally only traffic between the interfaces should be forwarded, so that the machine cannot be used as a bounce point within the network.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You shouldn’t need to set the ip_forward = 1 unless the interface is acting as a NAT for the other devices, which shouldn’t be the case if you’ve set them up as a bridge.
Example
Here’s my KVM server setup which has a bridge device, br0, with the physical ethernet device, eth0 + all the interfaces for the KVM guests.
$ brctl show
bridge name bridge id STP enabled interfaces
br0 8000.bcaec123c1e2 no eth0
vnet0
vnet1
vnet2
vnet3
vnet4
vnet5
virbr0 8000.52540003f256 yes virbr0-nic
So what’s wrong?
Based on your description it sounds like you don’t have routing rules to route the packets from one interface to the other.
Host with the bridge
$ ip route show 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.200 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 169.254.0.0/16 dev br0 scope link metric 1008 default via 192.168.1.1 dev br0
Host with NIC that’s member of bridge
$ ip route show 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.218 169.254.0.0/16 dev eth0 scope link metric 1002 default via 192.168.1.1 dev eth0
However you’re likely running into an issue with mixing the tap0 device and the physical ethernet device, eth0, into a bridge.
Tap devices in bridges
Given you’re using a TAP device, tap0 you’ll likely need to configure your firewall to allow these packets to flow back and forth over the bridge.
Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:
$ sudo iptables -A INPUT -i tap0 -j ACCEPT $ sudo iptables -A INPUT -i br0 -j ACCEPT $ sudo iptables -A FORWARD -i br0 -j ACCEPT
References
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0