Can I bridge without a bridge?

Hi,

I'm not well tonight, so please cut me a little slack if this is
stupid.

The ISP has assigned a /29 network and there are presently 3 computers
each with its own external IP connected.

I want to insert a new computer that will do a bit of firewalling and
packet shaping, then forward the traffic. I wish iptables to only
DROP/REJECT, not SNAT/DNAT. I would describe this as "bridging
without a bridge" because ALL traffic should be forwarded, not just
certain ports.

I'm not good with ASCII art, but here's my attempt to describe what is
desired:

ISP
|
111.222.111.152/29 network
|
eth0
new Linux box
eth1
|
8 port ethernet switch
| | |
.154 .155 .156

Should I set up aliases on eth0? (I know "alias" is an outdated term,
but I can't think of the right term.) If so, how will packets get
forwarded? In other words, what - if any - additional "route"
commands must be issued? Please remember, no NAT...

If I shouldn't alias, what should be done? I tried proxyARP; it Just
Does Not Work, which I think is because there can be only one route
for a given IP/netmask.

gypsy

On Sun, 17 Oct 2004 20:07:37 -0700, buck <(E-Mail Removed)> wrote:
> Hi,
>
> I'm not well tonight, so please cut me a little slack if this is
> stupid.
>
> The ISP has assigned a /29 network and there are presently 3 computers
> each with its own external IP connected.
>
> I want to insert a new computer that will do a bit of firewalling and
> packet shaping, then forward the traffic. I wish iptables to only
> DROP/REJECT, not SNAT/DNAT. I would describe this as "bridging
> without a bridge" because ALL traffic should be forwarded, not just
> certain ports.
>
> I'm not good with ASCII art, but here's my attempt to describe what is
> desired:
>
> ISP
> |
> 111.222.111.152/29 network
> |
> eth0
> new Linux box
> eth1
> |
> 8 port ethernet switch
> | | |
> .154 .155 .156
>
> Should I set up aliases on eth0? (I know "alias" is an outdated term,
> but I can't think of the right term.) If so, how will packets get
> forwarded? In other words, what - if any - additional "route"
> commands must be issued? Please remember, no NAT...
>
> If I shouldn't alias, what should be done? I tried proxyARP; it Just
> Does Not Work, which I think is because there can be only one route
> for a given IP/netmask.

Your mistake with proxy_arp was probably the netmask for eth0 interface
or conflicting/missing routing for eth1 hosts.

Your eth0 should be configured with netmask 255.255.255.255, broadcast
same as IP, host route to the gateway on eth0, and default route to that
gateway.

Then your eth1 could use the same IP as eth0, netmask 255.255.255.248.
Your public boxes on private side would use your eth0/eth1 IP as gateway.

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

Then it should work, with eth0 answering incoming arp requests for your
IPs on eth1. I am doing something similar with a /29 wireless subnet of
my main /24 LAN. Although, I set proxy_arp in my main network scripts
(which works during boot) something occasionally tends to clear proxy_arp
to zero (maybe my pppoe reconnecting when dropped).

ISP
|
111.222.111.152/32, host route to ISP gw, default to gw
|
eth0 proxy_arp enabled
new Linux box
eth1
|
111.222.111.152/29
|
8 port ethernet switch
| | |
.154 .155 .156

In article <(E-Mail Removed)>, buck wrote:

>I want to insert a new computer that will do a bit of firewalling and
>packet shaping, then forward the traffic. I wish iptables to only
>DROP/REJECT, not SNAT/DNAT. I would describe this as "bridging
>without a bridge" because ALL traffic should be forwarded, not just
>certain ports.

Well, you almost hit the right words. The one you are missing is
"transparent", and this is covered in the bridging howtos.

[compton ~]$ grep -il transpa /usr/doc/HOWTO/Bridge*
/usr/doc/HOWTO/Bridge+Firewall+DSL
/usr/doc/HOWTO/Bridge
[compton ~]$

>Should I set up aliases on eth0? (I know "alias" is an outdated term,

Nope - a transparent bridge has no IP addresses - it just passes
packets from one interface to the other.

>If I shouldn't alias, what should be done? I tried proxyARP; it Just
>Does Not Work, which I think is because there can be only one route
>for a given IP/netmask.

Right concept. If you have two routes to a place, which one do you use?
The bridge gets around this.

Old guy

(E-Mail Removed) (David Efflandt) wrote in
news:(E-Mail Removed):

> Your mistake with proxy_arp was probably the netmask for eth0 interface
> or conflicting/missing routing for eth1 hosts.
>
> Your eth0 should be configured with netmask 255.255.255.255, broadcast
> same as IP, host route to the gateway on eth0, and default route to that
> gateway.
>
> Then your eth1 could use the same IP as eth0, netmask 255.255.255.248.
> Your public boxes on private side would use your eth0/eth1 IP as gateway.
>
> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>
> Then it should work, with eth0 answering incoming arp requests for your
> IPs on eth1. I am doing something similar with a /29 wireless subnet of

> ISP
> |
> 111.222.111.152/32, host route to ISP gw, default to gw
> |
> eth0 proxy_arp enabled
> new Linux box
> eth1
> |
> 111.222.111.152/29
> |
> 8 port ethernet switch
> | | |
> .154 .155 .156

No Joy. The GW is 153. Only an unused IP (157 or 158) can be used for
eth0. Do you see what I've done wrong? (Do you need a description of
WBTH/WGTFTH?):

|#!/bin/bash -x
|
|# This does I/O and does not generate any errors.
|# However, proxyARP doesn't work.
|
|/usr/sbin/firewall.sh stop # Set Policy ACCEPT, Flush
|ifconfig eth1 down
|ifconfig eth0 down
|ifconfig lo down
|modprobe -r 3c59x
|modprobe -r 8139too
|ifconfig lo 127.0.0.1
|
|modprobe 8139too
|ifconfig eth0 206.72.89.158 broadcast 206.72.89.158 \
|netmask 255.255.255.255
|
|modprobe 3c59x
|ifconfig eth1 206.72.89.158 broadcast 206.72.89.159 \
|netmask 255.255.255.248
|
|ip route add 206.72.89.153 dev eth0
|route add default gw 206.72.89.153
|echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
|echo 1 >/proc/sys/net/ipv4/ip_forward
|# The above purportedly will answer arp requests for all IPs on eth1
|iptables -A FORWARD -j LOG

FWIW, 154 155 and 156 all use the same 'ifconfig eth1' and 'default gw'
entries, identical except for IP. I "wrapped" the long lines for posting.

gypsy
"WBTH/WGTFTH" copyright the author.

On Tue, 19 Oct 2004 02:26:02 GMT, buck <(E-Mail Removed)> wrote:
> (E-Mail Removed) (David Efflandt) wrote in
> news:(E-Mail Removed):
>
>> Your mistake with proxy_arp was probably the netmask for eth0 interface
>> or conflicting/missing routing for eth1 hosts.
>>
>> Your eth0 should be configured with netmask 255.255.255.255, broadcast
>> same as IP, host route to the gateway on eth0, and default route to that
>> gateway.
>>
>> Then your eth1 could use the same IP as eth0, netmask 255.255.255.248.
>> Your public boxes on private side would use your eth0/eth1 IP as gateway.
>>
>> echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>>
>> Then it should work, with eth0 answering incoming arp requests for your
>> IPs on eth1. I am doing something similar with a /29 wireless subnet of
>
>> ISP
>> |
>> 111.222.111.152/32, host route to ISP gw, default to gw

I thought that IP refered you your eth0 IP, but on further examination and
details is actually your network IP, which on your ISP's modem/router's
internal side would be apparently .153/255.255.255.248 (to reach all your
IPs), if it has no way to set more specific internal routing.

The reason for 255.255.255.255 netmask on Linux eth0 is because only route
in that direction from Linux would be -host route to .153 and default gw
..153.

>> |
>> eth0 proxy_arp enabled
>> new Linux box
>> eth1
>> |
>> 111.222.111.152/29
>> |
>> 8 port ethernet switch
>> | | |
>> .154 .155 .156
>
> No Joy. The GW is 153. Only an unused IP (157 or 158) can be used for
> eth0. Do you see what I've done wrong? (Do you need a description of
> WBTH/WGTFTH?):

I do not know what WBTH/WGTFTH refers to.

>|#!/bin/bash -x
>|
>|# This does I/O and does not generate any errors.
>|# However, proxyARP doesn't work.
>|
>|/usr/sbin/firewall.sh stop # Set Policy ACCEPT, Flush
>|ifconfig eth1 down
>|ifconfig eth0 down
>|ifconfig lo down
>|modprobe -r 3c59x
>|modprobe -r 8139too
>|ifconfig lo 127.0.0.1
>|
>|modprobe 8139too
>|ifconfig eth0 206.72.89.158 broadcast 206.72.89.158 \
>|netmask 255.255.255.255
>|
>|modprobe 3c59x
>|ifconfig eth1 206.72.89.158 broadcast 206.72.89.159 \
>|netmask 255.255.255.248
>|
>|ip route add 206.72.89.153 dev eth0

I am not familiar with "ip route", is that the same as "route add -host"
(ie, how does ip route know if adding a host or net route)?

>|route add default gw 206.72.89.153

Not sure if the ip_forward needs to be done before the proxy_arp (or if
it matters).

>|echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>|echo 1 > /proc/sys/net/ipv4/ip_forward
>|# The above purportedly will answer arp requests for all IPs on eth1
>|iptables -A FORWARD -j LOG
>
> FWIW, 154 155 and 156 all use the same 'ifconfig eth1' and 'default gw'
> entries, identical except for IP. I "wrapped" the long lines for posting.
>
> gypsy
> "WBTH/WGTFTH" copyright the author. >

Can Linux reach all of the .153 gateway and .154 .155 .156? The only
thing I can think of offhand is if ip route is setting a net instead of
host route. But that should be easy enough to tell from route -n.