Raspberry Pi - Bridge Interfaces

This setup can be useful when you have a wired homelab environment far from the ISP's router and can't roll UTP to it. Or if you want to hide your internal wired network from the rest of the house network.

The Raspberry Pi acts as gateway for the cabled environment, all incoming requests from the ethernet interface are forwarded to the wireless connection with the ISP Router. Hidding the Cabled Environment IP space under a unique outside address (on the wireless interface) using iptables for NAT/PAT.

<Internet>---<ISP-Router>---<Rpi>---<cabled-env>

The configuration goes as follows:

#Configure Ethernet interface (pre-bridge)
nano /etc/dhcpcd.conf


#add below line
denyinterfaces eth0


#in network manager
nano /etc/network/interfaces


#add your static conf
auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 172.16.20.1
    netmask 255.255.255.0
    network 172.16.20.0
    broadcast 172.16.20.255




#INSTALL & CONFIGURING DHCP service (dnsmasq)
apt-get install dnsmasq
cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig  
nano /etc/dnsmasq.conf


#add to file
interface=eth0
listen-address=172.16.20.1
dhcp-range=172.16.20.50,172.16.20.100,12h
server=8.8.8.8
bind-interfaces
domain-needed
bogus-priv


#config wlan0
auto wlan0
iface wlan0 inet static
        wpa-ssid "ESSID"
        wpa-psk "pre-shared-key"
    address 192.168.1.100
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.254




# SHARING THE INTERNET
#Setup IPv4 Forwarding:
nano /etc/sysctl.conf


#Un-comment this line by removing #
 net.ipv4.ip_forward=1


# activate it
sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"


#reset the IP table. Write a script in a file named tablereset.sh
nano tablereset.sh


#insert and save


#!/bin/sh
echo "Resetting the IP Tables"
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found 
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt -t raw -F 
$ipt -t raw -X


#make it executable
chmod +x ./tablereset.sh


#run it 
./tablereset.sh


#Add firewall rules, paste the code below one at a time:
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT  


#Check the changes
iptables -L -n -v


#Save the rules
sh -c "iptables-save > /etc/iptables.ipv4.nat"




#make this rules loaded automatically every time the system reboot.
nano /etc/rc.local


#Paste this code before “exit 0”
iptables-restore < /etc/iptables.ipv4.nat 


#e.g.
#iptables-restore < /etc/iptables.ipv4.nat
#exit 0


#check the Firewall setting
route
route

You can then do port forwarding on iptables if necessary, the man page describes how to do this.