Building a hidden / transparent bridge in Linux

Now that I do play around with Open vSwitch I wanted to create a hidden bridge in front of my virtual systems which is a VM itself. All traffic should basically pass that virtual system.

Open vSwitch

My Open vSwitch configuration is pretty simple. There’s a switch (a switch basically is a bridge, in case you wonder why ovs-vsctl shows a bridge and I do refer to it as a switch) called ovs-host which connects the physical port eth0 with my virtual device veth114-host (which is the first nic of my vm 114). Then there is a second switch called ovs-bridge which connects another virtual nic of vm 114 with multiple virtual systems (look out for veth*).

root@nyota:~# ovs-vsctl show
16063541-b8fa-4b1d-b4e3-66e483b168db
    Bridge ovs-host
        Port ovs-host
            Interface ovs-host
                type: internal
        Port "eth0"
            Interface "eth0"
        Port "veth114-host"
            Interface "veth114-host"
    Bridge ovs-bridge
        Port "veth103"
            Interface "veth103"
        Port "veth100"
            Interface "veth100"
        Port "veth200"
            Interface "veth200"
        Port "veth101"
            Interface "veth101"
        Port ovs-bridge
            Interface ovs-bridge
                type: internal
        Port "veth114-bridge"
            Interface "veth114-bridge"

So, simple said: VM 114 has two virtual nics, the first one is at switch ovs-host and hence connected to the internet, the second one is at switch ovs-bridge in which all virtual systems are. All virtual systems will need to pass vm 114 to reach the internet – perfect for a firewall, isn’t it?

VM 114 / Linux Bridge Setup

Setup the bridge using

brctl addbr br0

Add both interfaces to it

brctl addif br0 ens3
brctl addif br0 ens21

Activate all three interfaces

ip link set ens3 up
ip link set ens21 up
ip link set br0 up

Well – and that’s all. I am able to ping VM 101 through VM 114. This is a hidden bridge, because it does not appear in traceroute/tracepath and it does not have an IP:

root@nyota:~# traceroute x.x.x.132
traceroute to x.x.x.132 (x.x.x.132), 30 hops max, 60 byte packets
 1  x.x.eu (x.x.x.132)  0.426 ms  0.410 ms  0.389 ms

works.

No Comments

Post a Comment