Linux: How to Configure Static IPs and Transparent Bridges, Block IPs, and Make Startup Programs with rc.local

Let’s dive in!

Fire up Kali and run all commands as root.

In my previous posts, I’ve covered how ifconfig helps identify network information.

Ubuntu, by default, controls network configurations with Netplan.

Let’s install a better program called ifupdown. It’s much easier to use- all of the network information can be configured in one simple file.

Install ifupdown by running this command:

apt install ifupdown -y

Now remove the Netplan configurations from your device. Run the command:

apt remove netplan.io -y

Autoremove will find any dependencies that are no longer needed and delete them. It’s not necessary, but I like to run this command anytime I remove something.

Now identify physical interfaces on the network:

ip link show

You’ll see the physical interfaces on your network and whether they’re up or not. We’ll come back to this when we set static IPs and configure bridges.

In my case, I have lo (the loopback address) and eth0.

Note: to complete this tutorial, you must have a wired connection to the internet. This is because ifupdown does not support bridging wireless devices.

We need to edit our interfaces file. Vim the file /etc/network/interfaces

You’ll see this:

Change the file to this:

As you see here, we can assign each interface the labels loopback or dhcp. This means the interface’s IP will either be the loopback address, or it will be assigned by a DHCP (dynamic host control protocol.)

We can also make these assignments static or manual. Let me break down the difference between the two:

STATIC

The DHCP server checks the device’s MAC address. If it’s on the “static assignments” list, it assigns the IP you specified to that device. If not, it gets the next available IP address.

MANUAL

The interface will ask the gateway for a specific IP. If it’s available, the gateway assigns it to the interface. If you go this route and set up the rules incorrectly, the device will not get an IP.

If I rebooted my machine right now, eth0 would get an address from the DHCP.

My device’s IP is currently 192.168.254.103 (here’s the screenshot from the beginning of the post)

But what if I want it to be .102 each time the machine boots up? I’ll set the static IP in the etc/network/interfaces file.

Each time you set a static IP, you need to set these 3 things:

Address
Netmask
Gateway
- The gateway address is usually the first available in the subnet. This is not always the case though- always confirm the gateway address with the client.

:wq the VIM file and reboot the machine. You’ll see that it’s using the new IP!

Simple and effective. Now onto transparent bridges.

To create a bridge, we can make a switch out of one or more interfaces on a device.

When a device acts as a switch, you can see all traffic going through the interfaces connected to it. You can capture the packets, analyze them, and make blocking decisions.

We need a program called bridge-utils to make bridges. Install it with apt:

You can check out the documentation here to know more.

Here’s how to configure the bridge:

Look at how we changed the eth0 interface from static to manual. We didn’t need to do this, but I wanted to show that you can assign the IP to the bridge interface. The bridge will take the MAC of one of your physical interfaces (usually the lowest ordered one, but not always.)

There are 4 arguments for bridges that we declared:

1. bridge_ports

This is how you determine which ports to put on the bridge. We only have eth0 in the example above, but if you wanted to place more interfaces on the bridge, you could add eth1, eth2, etc.

2. bridge_fd

This is set to 0 so it forwards packets immediately.

3. bridge_maxwait

This is an additional argument to have it forward packets immediately (by setting it to 0.)

4. bridge_stp

STP refers to spanning tree protocol. We won’t create a switching loop by plugging devices into two ports, so we keep this turned off.

Set these arguments and reboot the box. Then run ifconfig.

Check it out! There’s a new interface (br0), and it has the same MAC address (ether) as eth0. It also picked up it own IP address through DHCP, and eth0 now has no IP.

One more thing on bridges: you can treat them as if they’re separate interfaces. Thinking of making it a static IP? Add the same arguments you did for setting eth0, like this:

auto br0
iface br0 inet static
address 10.0.0.208
netmask 255.255.255.0
gateway 10.0.0.1
bridge_ports eth0 #eth1 eth2
bridge_fd 0
bridge_maxwait 0
bridge_stp off

Let’s discuss blocking IPs with IPTables.

Run iptables -h

This process can be complicated, so I’ll make it as simple as possible.

Imagine you want to block google.com. You’d first find the IP with nslookup. After that, you’d ping it to see if you get a response:

I’m doing this now (and I encourage you to do it) to verify that we’re actually blocking google.com when we run our blocking commands later.

Let me unpack the next screenshot:

IPTables can block IPs on specific interfaces, under specific circumstances, and at specific layers of network communications. We’re going to block the simplest and fastest possible layer available to IPTables- the prerouting layer.

Run this command:

iptables -t raw -A PREROUTING -s <ip> -j DROP

It instructs the machine to instantly drop any communications coming from this IP. This rule alone is extremely fast and effective.

To see all IPs you’re blocking, run this command:

iptables -nL -t raw

The screenshot shows that we’re blocking the Google IP we specified earlier.

Now let’s ping it to verify that we can’t: