I have been using the bridge code with
success to bridge and filter packets. However, the bridge interface, itself,
seems to have difficulty being a network interface for the bridge machine. For
example, it's possible to SSH into one of the interfaces on the machine, but not
the other!
My configuration is:
(xxx.yy.110.17) +++++++++++++++++ +------
xxx.yy.110.26
+ + |
<external net>
-----[ROUTER]------------>+ eth1 eth0
+<--------------+------ xxx.yy.110.27
+
+
|
+ (br0)
+
+------ xxx.yy.110.29
+++++++++++++++++
|
+------
xxx.yy.110.28
When the machine (br0) comes up, it only has eth0
up, with an address of xxx.yy.110.20. My script to bring up the bridge is as
follows:
echo -n "Removing previous bridge:"
# remove old bridge if
possible...
/sbin/ifconfig br0 down
/usr/local/sbin/brctl delif br0 eth0
/usr/local/sbin/brctl delif br0 eth1
/usr/local/sbin/brctl delbr br0
/sbin/ifconfig br0 down
/usr/local/sbin/brctl delif br0 eth0
/usr/local/sbin/brctl delif br0 eth1
/usr/local/sbin/brctl delbr br0
# put it back up!
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
/usr/local/sbin/brctl addbr br0
/usr/local/sbin/brctl show
/usr/local/sbin/brctl addif br0 eth0
/usr/local/sbin/brctl addif br0 eth1
/sbin/ifconfig br0 xxx.yy.110.20 netmask xxx.255.255.240
ifconfig br0 down
#
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
/usr/local/sbin/brctl addbr br0
/usr/local/sbin/brctl show
/usr/local/sbin/brctl addif br0 eth0
/usr/local/sbin/brctl addif br0 eth1
/sbin/ifconfig br0 xxx.yy.110.20 netmask xxx.255.255.240
ifconfig br0 down
#
route add default gw
xxx.yy.110.17
#
#
echo -n "putting in firewall rules"
# todo - catch the return code from this next command, don't bring up the interface if it failed.
sh -x /etc/sysconfig/put_in_firewall
ifconfig br0 up
# todo - catch the return code from this next command, don't bring up the interface if it failed.
sh -x /etc/sysconfig/put_in_firewall
ifconfig br0 up
With or without the firewall rules in, I can SSH
into xxx.yy.110.20 from the INTERNAL network (eth0), but not from the external
network (eth1). I can ping machines on our internal network from OUTSIDE the
network. I cannot ping the xxx.yy.110.20 machine from outside the network.
using tcpdump, I can see packets coming into eth1
for xxx.yy.110.20 from outside (tcpdump -i eth1 ip proto \\icmp) . I don't however see any replies from
xxx.yy.110.20.
Has anyone else encountered this, or know of a
workaround?
thanks,
