Re: iptables / bridge mode

[Frederik Schueler <fs@lowpingbastards.de>]

Hi,

On Sun, Jan 19, 2003 at 11:40:14PM +0100, Brian Josefsen wrote:

> I needed to setup a firewall after the network was taken i production, 
> so i decided to go bridge mode in order to make the integration 
> completely transparent(except for the 30 seconds for the box to learn 
> the routing tables and 5 secs to move the plug)

Don't forget the arp table cache, it takes some time to expire and at
least the router your ISP installed at your site will make some trouble
with this, means a host which had a connection open won't regain it that
fast as you might expect. 

> But it's very hard out there to find any good example scripts, and i 
> would really love some more input on it, so in case anyone out there has 
> some nifty scripts i would be glad to see them.

you will need to set the same IP on both interfaces, then delete the
network route on the one heading to your router.
Add a host route to the router on the interface it is connected, then set
set all  /proc/sys/net/ipv4/conf/eth*/proxy_arp entries to 1, and finally 
load your active iptables script.

don't forget the relevant chain is the forward one in the filter table,
for your firewall.

you may want to automate this by putting a shellscript in 
/proc/network/if-up.d/ and activating the iptables init.d script.

HTH
Frederik Schüler