[Bridge] Linux Bridge + NAT + firewall

Sebastian Tabarce blue_moon_ro at yahoo.com
Mon Apr 30 06:23:03 PDT 2007

Hello everybody!

I'm trying to setup at home a linux router for me and my 3 friends. Basically I had some spare network cards around and that is why I have not bought a switch or a router. Also all of us are rarely at home at the same time so bandwidth will not be a problem. And I thought it would be fun to try to make this work in linux. However, I've hit a dead end.

This is my problem:
- I have a spare computer running CentOS 5 (RHEL 5 clone) with 5 network cards
- we have an internet connection via a cable modem. The cable modem is linked at eth4 to the above computer that will be setup as router.
- all the computers in the house are linked to the same above computer to eth0...eth3.
I did the following:
- I'm using dhclient to obtain an IP for eth4 via DHCP. The internet connection works on this computer, I am able to navigate, etc. I had to spoof the MAC address of eth4 since the MAC of one of the other computers was registered at our ISP. (Yes, I could have exchanged the network cards, if it wouldn't have been a laptop....)
- I used bridge-utils to configure a bridge composed of eth0...eth3

my rc.local:

#create bridge

brctl addbr br0
brctl stp br0 off
brctl addif br0 eth0
brctl addif br0 eth3
ifconfig eth0
ifconfig eth3
ifconfig br0 netmask up

#spoof MAC and get DHCP IP addres on eth4
ifconfig eth4 down
ifconfig eth4 hw ehter addr xx:xx:xx:xx:xx:xx:xx:xx
ifconfig eth4 up
dhclient eth4

 iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
iptables -A INPUT -i eth4 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth4 -j ACCEPT  

- the other computers also have IPs in the 192.168.0.xxx range with set as gateway and DNS and are running Windows and linux.

My question is how do I masquerade all  4 computers linked to br0 and make them connect to the internet using my cable modem connection on eth4?
I tried using iptables but could not obtained so far a result. IP forwarding is enabled in /etc/sysctl.conf.
I'm thinking of refining afterwards the rules to have a true firewall, but first I need a working NAT.....

Thanks a lot,

Ahhh...imagining that irresistible "new car" smell?
 Check outnew cars at Yahoo! Autos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux-foundation.org/pipermail/bridge/attachments/20070430/afd8aef7/attachment.htm

More information about the Bridge mailing list