| View previous topic :: View next topic |
| Author |
Message |
doublehp
Guru
Joined: 11 Apr 2005
Posts: 473
Location: FRANCE
|
 Posted: Sat Jun 07, 2008 4:19 pm Post subject: [SOLVED] How to setup transparent briging using iptables ? |
 |
|
I need to setup transparent briging using iptables, on a computer where some network cards do not support brctl. I know some people can do it, but I can not find any tutorial. Any one can help me ?
_________________
DEMAINE Benoît-Pierre (aka DoubleHP ) http://www.demaine.info/
>o_/ Coin coin coin \_o<
to contact me (MSN,ICQ, JABBER, Skype ... ) http://benoit.demaine.info/contact.png
Last edited by doublehp on Wed Jul 30, 2008 2:20 pm; edited 1 time in total |
|
| Back to top |
|
 |
doublehp
Guru
Joined: 11 Apr 2005
Posts: 473
Location: FRANCE
|
|
| Back to top |
|
|
doublehp
Guru
Joined: 11 Apr 2005
Posts: 473
Location: FRANCE
|
| Posted: Sat Jul 12, 2008 11:40 pm Post subject: |
|
|
Applied to my Debian, here is the resulting /etc/network/interfaces
| Code: | # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.0.203
netmask 255.255.255.0
post-up beep
post-up sleep 1
auto wlan0_rename
iface wlan0_rename inet static
wireless-mode managed
wireless-essid benoit@demaine.info 40 grand r
wireless-key 0123-4567-89
wireless-sens 2
address 192.168.0.204
netmask 255.255.255.0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up sleep 1
post-up ifconfig eth0 0.0.0.0 up
# post-up ifconfig eth1 0.0.0.0 up
post-up ifconfig wlan0_rename 0.0.0.0 up
post-up brctl addbr br0
post-up brctl addif br0 eth0
# brctl addif br0 eth1
post-up brctl addif br0 wlan0_rename
post-up ifconfig br0 192.168.0.203
post-up ifconfig br0:1 192.168.0.204
post-up ebtables -t nat -F
post-up ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5B:91:56:08 --snat-arp
# essayer aussi SANS --snat-arp au besoin:
# post-up ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5B:91:56:08
post-up ebtables -t nat -A PREROUTING -p arp -j arpreply --arpreply-mac 00:09:5B:91:56:08
post-up route add default gw 192.168.0.1
post-up (echo -e "\t* sleeping 16s ... waiting for brige to build ..." ; sleep 16 ; beep -f 2000 -l 50 -r 3 ; echo -e "\t* bridge ready !!!" ; ) &
|
This assumes the machine just booted. If it's not the case, here is a way to clean your rules:
| Code: | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t filter
iptables -F -t mangle
iptables -F -t raw
ebtables -t filter -F
ebtables -t nat -F
ebtables -t broute -F |
Key points:
- establish wifi link first; it's way harder for the driver to join a node after bridge is up
- echo 1 > /proc/sys/net/ipv4/ip_forward ; you may need similar things for ipv6; i dont have ipv6 yet.
- ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5B:91:56:08
- ebtables -t nat -A PREROUTING -p arp -j arpreply --arpreply-mac 00:09:5B:91:56:08
Where the MAC address if the MAC of the bridge. If you try to fix the bug of wifi cards/driver not supporting spoofing (changing mac on the fly), you need to use as MAC for the brige, or here in ebtables rules. If you use several cards that dont suport spoofing, you will have to write more clever rules, likely using -o interface for each specific card.
This is far for even "good" script: all packets are transmetted on both side, even when not necessary. Furthermore, I have at the moment a windows laptop on the wifi side, and it complains it cant get free IP, and that attributed IP is already in use. This is because just after the DHCP delivers an IP, windows tries to ping it to check if it is free; to this ping, the bridge will answer a valid ARP reply, because the querried IP could be a host on his wired side ... that's the aime of the last rule ... and this rule prevent DHCP from working correctly. So, for now, this works fine only with static adressing.
Still, I have unified both sides of my network using software bridging, so, main part of the problem is solved.
References:
- http://lists.shmoo.com/pipermail/hostap/2005-January/009412.html
- http://wiki.xensource.com/xenwiki/XenWifi
- http://www.linuxfoundation.org/en/Net:Bridge#It_doesn.27t_work_with_my_Wireless_card.21
- http://www.atomicmpc.com.au/forums.asp?s=2&c=16&t=4705
- http://ebtables.sourceforge.net/examples.html#real (see examples in the main page, and the links at the bottom)
Commands that can be usefull for debugging:
- ip addr show
- tcpdump -veni eth0 icmp
- tcpdump -veni eth1 arp
_________________
DEMAINE Benoît-Pierre (aka DoubleHP ) http://www.demaine.info/
>o_/ Coin coin coin \_o<
to contact me (MSN,ICQ, JABBER, Skype ... ) http://benoit.demaine.info/contact.png |
|
| Back to top |
|
|
doublehp
Guru
Joined: 11 Apr 2005
Posts: 473
Location: FRANCE
|
| Posted: Wed Jul 30, 2008 2:19 pm Post subject: |
|
|
Works at last.
Question was: I have cheap hardware, and want to build a Wifi access point: i need to do transparent bridging between eth0 and wlan1.
Bad point for me (technical issue) was: after a few tests, as for many other people, my wifi card does not seem to enjoy brctl at all. I have an MA311, that is said to work for other people, but for me, brctl does not work nice. Maybe it is a firmware issue.
This trick allowed to get working network, the "bad" way:
| Code: | ifconfig eth0 192.168.0.205
iwconfig wlan1 mode managed
iwconfig wlan1 essid benoit
iwconfig wlan1 key 0123-4567-89
iwconfig wlan1 sens 2
ifconfig wlan1 192.168.0.206
echo 1 > /proc/sys/net/ipv4/ip_forward
sleep 1
ifconfig eth0 0.0.0.0 up
ifconfig wlan1 0.0.0.0 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 wlan1
ifconfig br0 192.168.0.205
ifconfig br0:1 192.168.0.206
sleep 1
ebtables -t nat -F
ebtables -t nat -A POSTROUTING -j snat --to-source 00:09:5b:48:d6:ab --snat-arp
ebtables -t nat -A PREROUTING -p arp -j arpreply --arpreply-mac 00:09:5b:48:d6:ab
route add default gw 192.168.0.1
(echo -e "\t* sleeping 16s ... waiting for brige to build ..." ; sleep 16 ; beep -f 2000 -l 50 -r 3 ; echo -e "\t* bridge ready !!!" ; ) & |
Advantage of this: ARP get answered nicely, and all frames go through as wanted
Bad point: the router answers to all ARP requests, meaning, it virtually owns all IPs (even those outside the network), so that when machines like DHCP, Windows and Linux check if an IP is free before using it, the router already use it, and no IP is even free.
My actual solution that work way better:
| Code: | ifconfig eth0 192.168.0.205 netmask 255.255.255.255
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
iwconfig wlan1 mode managed
iwconfig wlan1 essid benoit
iwconfig wlan1 key 0123-4567-89
iwconfig wlan1 sens 2
ifconfig wlan1 192.168.0.206 netmask 255.255.255.255
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/wlan1/proxy_arp
sleep 1
parprouted -d eth0 wlan1 &
while true
do
echo "Waiting for default route to go away ..."
while route -n |cut -d " " -f1 |grep "0.0.0.0" >/dev/null
do
sleep 1
done
echo "Trying to add default route ... until it's here."
until route -n |cut -d " " -f1 |grep "0.0.0.0" >/dev/null
do
/bin/ping -c1 -w1 192.168.0.1 >/dev/null 2>&1
sleep 1
/sbin/route add default gw 192.168.0.1
sleep 1
done
/bin/echo "* Added default route"
done |
Of course, the last part can not be encoded in system conf file for network, it has to be put in an independent script.
It has to be a double loop, in case we loose the default route ( I am 99,999% sure there are cases where we can loose it, if we loose it's MAC, what could happen if during a reboot of the gateway, we expire the timeout of the ARP cache).
This rely on the ability of parprouted to automatically update routes in the kernel (see reference below): use /32 masks, and hope for the best. Just assign any IP to each interface, in any network, and apply the 255.255.255.255 mask.
Minus: Discovery takes time: it can take up to 12s from experience: it means, when you try to reach a machine for the first time, you are likely to have lost, and errors at the beginning. Having a machine down for longer than the ARP timeout will be a problem. Trying to reach an IP that is not up will flood parprouted queues.
But once we found where an IP is, everything seems stable (because parprouted refreshes ARP before the timeout, so that they never expire).
***
Problems yet to fix:
- add DHCP relay
- check that IPv6 goes through
References:
http://lists.shmoo.com/pipermail/hostap/2005-January/009412.html => means brctl can work on MA311
http://www.atomicmpc.com.au/forums.asp?s=2&c=16&t=4705
MA311 as Master
http://ebtables.sourceforge.net/examples.html#real ebtables examples
http://www.linuxfoundation.org/en/Net:Bridge#It_doesn.27t_work_with_my_Wireless_card.21 says that it is common for a wifi card to not work with brctl
http://wiki.xensource.com/xenwiki/XenWifi
the first guide saying that ebtables can be used to fix this kind of MAC problem
http://osdir.com/ml/network.bridge.ebtables.user/2005-03/msg00012.html
ebtables to iptables on a transparent bridge
http://freshmeat.net/articles/view/1433/
http://wiki.openwrt.org/OpenWrtDocs/WhiteRussian/TransparentFirewall
more scripts
http://lartc.org/howto/lartc.bridging.proxy-arp.html
proxyarp
http://tldp.org/HOWTO/Wireless-HOWTO-5.html
the page that says parprouted creates automatically routes for any discovered machine, so that, in the end, we can assign to the machine any IP with the mask /32.
http://www.faqs.org/docs/Linux-mini/Proxy-ARP-Subnet.html
http://linux.die.net/man/8/parprouted
parprouted man page:
| Quote: | Unlike standard bridging, proxy ARP bridging allows to bridge Ethernet networks behind wireless nodes. Normal L2 bridging does not work between wireless nodes because wireless does not know about MAC addresses used in the wired Ethernet networks. Also this daemon is useful for making transparent firewalls.
[...]
By automatically adding appropriate /32 routes to Linux kernel IP routing table for the hosts learned via ARP , daemon ensures that the Linux kernel will be able to route the packets to the destination host when it receives them without any need routing/subnetting manually.
|
http://www.usenet-forums.com/linux-security/124068-simple-proxy-arp-setup-needed.html
dont forget to add
| Quote: | echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward |
_________________
DEMAINE Benoît-Pierre (aka DoubleHP ) http://www.demaine.info/
>o_/ Coin coin coin \_o<
to contact me (MSN,ICQ, JABBER, Skype ... ) http://benoit.demaine.info/contact.png |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
