Fedora 17 Transparent Bridge or Tap Using Ebtables and Brctls

Submitted by admin on

In an effort to demonstrate how you could create a poor-man's network tap or bridge, I thought I would share how you can create your own using a host with two network interfaces. In this case, I used two Ethernet NICs.

For this to be accomplished you must install brtcls or bridge-utils, ebtables and have Wireshark/tcpdump installed. Then two bridge the two interfaces, you must create the bridge, add the interfaces to it, alter the routes, enable IP forwarding and add ebtable rules.

Brctl is the basic bridge command that sets up the software bridge and ip_forward allows simple forwarding, and ebtables filters layer 2 traffic. Assuming that you are on the 192.168.7.x network and 192.168.7.1 is your gateway address - create a configuration that looks like this: Gateway -> LAN -> (eth0) Bridge Host (eth1)-> Second Host. Then from the second host run a continuous ping aimed at the gateway.

Then install bridge utils and ebtables on the Bridge Host and then create a BASH script that contains the following:

  1. #!/bin/bash
  2. # Ebtables transparent firewall script
  3. # SETUP BRIDGE AND DISABLE STP
  4. /usr/sbin/brctl addbr br0
  5. /usr/sbin/brctl addif br0 eth0
  6. /usr/sbin/brctl addif br0 eth1
  7. /sbin/ifconfig br0 192.168.7.119 netmask 255.255.255.0 up
  8. /usr/sbin/brctl stp br0 off
  9. # ADD ROUTES
  10. /sbin/route add gw 192.168.7.0 br0
  11. /sbin/route add default gw 192.168.7.1 br0
  12. # PLACE ADAPTERS IN PROMISCUOUS MODE
  13. /sbin/ifconfig eth0 0.0.0.0 promisc up
  14. /sbin/ifconfig eth1 0.0.0.0 promisc up
  15. # ENABLE IP FORWARDING
  16. echo "1" > /proc/sys/net/ipv4/ip_forward
  17. # DEFAULT POLICY
  18. ebtables -P INPUT DROP
  19. ebtables -P OUTPUT DROP
  20. ebtables -P FORWARD DROP
  21. # FLUSH TABLES
  22. ebtables -F FORWARD
  23. # Forward Arp and IPv4 Traffic
  24. ebtables -A FORWARD -p IPv4 -j ACCEPT
  25. ebtables -A FORWARD -p ARP -j ACCEPT
  26. #RESTART NETWORKING...
  27. service network restart

Then use chmod a+x to give your script execute permissions and execute it as sudo or root. You should now see your pings become successful and you are now able to monitor traffic over the bridge interface.

Blog tags: 

Add new comment

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.