Debian Linux: Configure Network Interfaces As A Bridge / Network Switch

My server has five Ethernet ports and one ADSL port. How do I setup IPv4 software bridge using Debian Linux operating systems so that the rest of five ports act as a network switch?


You need to use brctl command to bridge network connections under Debian Linux. This is useful for:

1. Sharing your internet connections between multiple devices.
2. Increase your ethernet jacks capacity without purchasing a dedicated network switch.
3. Setup Debian as an access point and much more.

Install bridge-utils package

You need to install a package called bridge-utils for configuring the Linux Ethernet bridge.
# apt-get install bridge-utils
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  bridge-utils
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 35.5 kB of archives.
After this operation, 145 kB of additional disk space will be used.
Get:1 http://mirror.anl.gov/debian/ wheezy/main bridge-utils i386 1.5-6 [35.5 kB]
Fetched 35.5 kB in 1s (21.9 kB/s)
Selecting previously unselected package bridge-utils.
(Reading database ... 23737 files and directories currently installed.)
Unpacking bridge-utils (from .../bridge-utils_1.5-6_i386.deb) ...
Processing triggers for man-db ...
Setting up bridge-utils (1.5-6) ...

Configuration

In this example below, eth0 to eth4 are acting as a switch. Edit the file /etc/network/interfaces, enter:
# cp -v /etc/network/{interfaces,interfaces.bak}
# vi /etc/network/interfaces
To make your bridge configuration permanent edit this file. Append/modify as follows:

 
# The loopback network interface
auto lo
iface lo inet loopback
 
# Eth0 to Eth5 network switch
allow-hotplug eth0
iface eth0 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
 
allow-hotplug eth1
iface eth1 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
 
allow-hotplug eth2
iface eth2 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
 
allow-hotplug eth3
iface eth3 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
 
allow-hotplug eth4
iface eth4 inet manual
   pre-up   ifconfig $IFACE up
   pre-down ifconfig $IFACE down
 
# Setup an IP address for our bridge
auto br0
iface br0 inet static
  bridge_ports eth0 eth1 eth2 eth3 eth4
  address 192.168.1.253
  broadcast 192.169.1.255
  netmask 255.255.255.0
 

Save and close the file.

Restart the networking service

To stop current network configuration, enter:
# service networking stop
Sample outputs:

Deconfiguring network interfaces...done.

To activate br0 network interface, enter:
# service networking start
Sample outputs:

Configuring network interfaces...
Waiting for br0 to get ready (MAXWAIT is 32 seconds).
done.

Verify br0 configuration

Type the following command:
# ip addr show
Sample outputs:

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast master br0 state UP qlen 1000
    link/ether 00:00:24:cf:69:68 brd ff:ff:ff:ff:ff:ff
3: eth1:  mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN qlen 1000
    link/ether 00:05:b4:09:ee:9c brd ff:ff:ff:ff:ff:ff
4: eth2:  mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 1000
    link/ether 00:00:24:cf:69:69 brd ff:ff:ff:ff:ff:ff
5: eth3:  mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 1000
    link/ether 00:00:24:cf:69:6a brd ff:ff:ff:ff:ff:ff
6: eth4:  mtu 1500 qdisc pfifo_fast master br0 state DOWN qlen 1000
    link/ether 00:00:24:cf:69:6b brd ff:ff:ff:ff:ff:ff
7: wlan0:  mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:1d:73:bc:e4:6e brd ff:ff:ff:ff:ff:ff
8: br0:  mtu 1500 qdisc noqueue state UP
    link/ether 00:00:24:cf:69:68 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.253/24 brd 192.169.1.255 scope global br0
    inet6 fe80::200:24ff:fecf:6968/64 scope link
       valid_lft forever preferred_lft forever

You can use the following brctl command to see all current instances of the ethernet bridge:
# brctl show
Sample outputs:

bridge name	bridge id		STP enabled	interfaces
br0		8000.000024cf6968	no		eth0
							eth1
							eth2
							eth3
							eth4

How do I show a list of mac address?

# brctl showmacs br0

How can I see bridge stp information?

# brctl showstp br0

Other options

To see all other supported options type the following command
$ man brctl
OR
$ brctl --help
Sample outputs:

Usage: brctl [commands]
commands:
	addbr     			add bridge
	delbr     			delete bridge
	addif     	 	add interface to bridge
	delif     	 	delete interface from bridge
	hairpin   	  {on|off}	turn hairpin on/off
	setageing 	 		set ageing time
	setbridgeprio	 		set bridge priority
	setfd     	 		set bridge forward delay
	sethello  	 		set hello time
	setmaxage 	 		set max message age
	setpathcost	  	set path cost
	setportprio	  	set port priority
	show      	[  ]		show a list of bridges
	showmacs  			show a list of mac addrs
	showstp   			show bridge stp info
	stp       	 {on|off}	turn stp on/off

A note about DHCPD server

You may want to setup DHCPD server to allow clients such as desktop, laptop, and mobile devices to request and obtain an IP address and many other parameters from a server / switch itself. See how to setup an ISC DHCP Server for your network for more information.

A note about Iptables

The data flows through all interfaces, so you only need to filter on one interface. Turn on packet forwarding using Linux kernel and iptables (NAT). Assuming that eth6 or ppp0 is the connection to the Internet. First, turn on IP forwarding in the kernel:
# sysctl -w net.ipv4.ip_forward=1
Next, use the following command:
/sbin/iptables -t nat -A POSTROUTING -o eth6 -j MASQUERADE
### ppp0 ###
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
OR setup an IP forwarding and masquerading (NAT):
/sbin/iptables --table nat --append POSTROUTING --out-interface eth6 -j MASQUERADE
/sbin/iptables --append FORWARD --in-interface br0 -j ACCEPT
Feel free to modify rules as per your setup. See iptables man page or the following tutorials for more information:

1. Debian / Ubuntu Linux: Install and Configure Shoreline Firewall (Shorewall)
2. Linux: 20 Iptables Examples For New SysAdmins

See also

• KVM Guest: Shared Physical Network Device With Host (bridging configuration)

• Tweet
• 
• 

You should follow me on twitter here or grab rss feed to keep track of new changes.

Featured Articles:

• 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
• Top 30 Nmap Command Examples For Sys/Network Admins
• 25 PHP Security Best Practices For Sys Admins
• 20 Linux System Monitoring Tools Every SysAdmin Should Know
• 20 Linux Server Hardening Security Tips
• Linux: 20 Iptables Examples For New SysAdmins
• Top 20 OpenSSH Server Best Security Practices
• Top 20 Nginx WebServer Best Security Practices
• 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
• 15 Greatest Open Source Terminal Applications Of 2012
• My 10 UNIX Command Line Mistakes
• Top 10 Open Source Web-Based Project Management Software
• Top 5 Email Client For Linux, Mac OS X, and Windows Users
• The Novice Guide To Buying A Linux Laptop