It's high time to finish up with these LAN chores and bring the Internet to your LAN. Your wireless is encrypted, your LAN services are working, and your users want Internet. So you're ready to configure your WAN interface and build a nice stout iptables firewall.
Easy as pie. First, configure your WAN interface, then set up an iptables firewall. (See Chapter 3 to learn how to do these things.) You'll need to make some simple changes to /usr/local/bin/fw-nat to enable traffic to flow across your bridge. Add these two lines:
$ipt -A INPUT -p ALL -i $LAN_IFACE -s 192.168.1.0/24 -j ACCEPT $ipt -A FORWARD -p ALL -i $LAN_IFACE -s 192.168.1.0/24 -j ACCEPT
Use your own subnet, of course. Then, change the value of
LAN_IFACE to br0:
LAN_IFACE="br0"
Restart and test everything according to Chapter 3, and you are set.
Ethernet bridges join subnets into a single broadcast domain, with broadcast traffic going everywhere at once. A bridge is easy to set up and is transparent to your users. Your subnets function as a single network segment, so LAN services work without any additional tweaking, such as network printing, Samba servers, and Network Neighborhood. You can move computers around without having to give them new addresses.
Bridging is inefficient because it generates more broadcast traffic. So, it doesn't scale up very far. An Ethernet bridge operates at the data link layer (layer 2) of the OSI Model. It sees MAC addresses, but not IP addresses. Bridge traffic cannot be filtered with iptables; if you want to do this, use ebtables, which is designed for bridging firewalls.
Routing gives more control over your network segments; you can filter traffic any way you like. It's more efficient than bridging because it's not spewing broadcasts all over the place. Routing scales up indefinitely, as demonstrated by the existence of the Internet. Its main disadvantage in the LAN is it's a bit more work to implement.
See Recipe 4.12 to learn how to use routing instead of bridging on your wireless access point.