Implement a network bridge firewall

Traditional firewall and bridge firewall What difference? Usually as a firewall like a router work: internal system is set to be a firewall as a gateway to the outside network, and external router firewall is set to be as is connected to the internal protected network gateway. A bridge is a link to one or more segments of the device, forwarding data between the various segments, while the network of other devices and do not feel there is a bridge.

In other words, a router connecting two networks, transferring data between the two; a bridge is more like a network cable to connect two parts of a network together. A firewall is like bridge, like bridge work, without being found at both ends of equipment, but also has packet filtering through its functions.

Why would it need to achieve bridge firewall? Generally have the following reasons:

* You can add a firewall in the network without the need to modify the network parameters to any device.

* You may want to protect a certain part of the network but has no right to control the parameters of the external routing information.

I have problems

My office is a ADSL connection to Demon Internet, while there are 16 subnets available IP addresses. Special reasons for the UK ISP, line, and the router is the BT companies to install and have, so we have the right to configure the external router to specify who is the internal network gateway, so I only have two options:

* Directly to the ADSL router and each host is connected, and independently for each host to set firewall rules using iptables.

* Another option is to use NAT firewall functionality to drive the internal network to access the Internet.

The first method is unacceptable because it would greatly increase the error and system management overhead. The second method has advantages and disadvantages, although most applications can be NAT to support, but there are exceptions, such as video streaming and VPN and so on. A bridge firewall is able to solve these problems, the firewall can be set up in the ADSL router and to protect the network between the internal network, but do not need to modify the configuration. The last obstacle is the standard Linux kernel completely bypass the iptables, so you can use the bridge or iptables firewall, but can not use this feature.

Solutions

Fortunately, there is a special implementation supports iptables project the bridge, so any packets through the bridge can be submitted to the iptables filtering rules. The result is a firewall can be completely transparent to the network, does not require special routing. On the Internet, the firewall does not exist, in addition to the specific connection is blocked. Bridge software is a kernel patch to support the existing bridge code can work with iptables. Facilitate the developers have produced a form of support bridge firewall RPM kernel. But the inconvenience is too little documentation, so the article is to help those who want people to achieve bridge firewall.

Bridging and routing - how to work

Simple to say, Linux bridge to implement the general yes that has one or more network interface devices Shang Shi Xian's, through the Detection of Multiple segment motility, bridging the code-learning Dao which MAC address from which interface Ke Yi arrived, Bingju use The information to determine whether to relay a packet to another network segment. Bridge interface itself does not assign IP addresses, but the entire bridge is configured as a single interface to the firewall.

Destination address in the bridge case the data for the bridge device itself need to go through the INPUT filter rules table and the mangle table PREROUTING chain rule chain; from bridge device needs its own data sent through the filter rules table OUTPUT mangle table PREROUTING chain and rules chain; and the data flowing through the bridge device will have to mangle table PREROUTING were rules after chain and filter rules table FORWARD mangle table POSTROUTING chain and chain rules.

Network topology

I have a static IP address assigned by the range of xxx.xxx.xxx.48-63, which is a subnet mask of 255.255.255.240. I decided to split into two entire IP network segment: xx.xxx.xxx.48-56 for outside the firewall, including the ADSL router's own IP address (xxx.xxx.xxx.49); xxx.xxx.xxx. 57-62 used in the firewall section. Note that this is not true subnetting, because they are bridges, not routers connected.

Firewall rules

Firewall rules defined as follows:

#! / Bin / sh

#

# Rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x

#

# Author: David Whitmarsh

# (C) 2001, 2002 Sparkle Computer Co ltd.

# Based on rc.firewall by Oskar Andreasson

# Parts (c) of BoingWorld.com, use at your own risk,

# Do whatever you please with

# It as long as you don't distribute this without due credits to

# BoingWorld.com and Sparkle Computer Co Ltd

#

###########

# Configuration options, these will speed you up getting this script to

# Work with your own setup.

#

# Your LAN's IP range and localhost IP. / 24 means to only use the first 24

# Bits of the 32 bit IP adress. The same as netmask 255.255.255.0

#

# BR_IP is used to access the firewall accross the network

# For maxium security don't set one up - but then you must do

# Everything directly on the firewall.

BR_IP = "xxx.xxx.xxx.57"

BR_IFACE = br0

LAN_BCAST_ADDRESS = "xxx.xxx.xxx.63"

INTERNAL_ADDRESS_RANGE = "xxx.xxx.xxx.56/29"

INET_IFACE = "eth1"

LAN_IFACE = "eth0"

LO_IFACE = "lo"

LO_IP = "127.0.0.1"

IPTABLES = "/ sbin / iptables"

#########

# Load all required IPTables modules

#

#

# Needed to initially load modules

#

/ Sbin / depmod-a

#

# Adds some iptables targets like LOG, REJECT

#

/ Sbin / modprobe ipt_LOG

/ Sbin / modprobe ipt_REJECT

#

# Support for connection tracking of FTP and IRC.

#

/ Sbin / modprobe ip_conntrack_ftp

/ Sbin / modprobe ip_conntrack_irc

#

# Take down the interfaces before setting up the bridge

#

ifdown $ INET_IFACE

ifdown $ LAN_IFACE

ifconfig $ INET_IFACE 0.0.0.0

ifconfig $ LAN_IFACE 0.0.0.0

# Clean up for a restart

$ IPTABLES-F

$ IPTABLES-X

#

# Set default policies for the INPUT, FORWARD and OUTPUT chains

#

$ IPTABLES-P INPUT DROP

$ IPTABLES-P OUTPUT ACCEPT

$ IPTABLES-P FORWARD DROP

# Our interfaces don't have IP addresses so we have to start with the mangle

# PREROUTING table

$ IPTABLES-t mangle-P PREROUTING DROP

# Now we are pretty secure, let's start the bridge

# This will create a new interface

brctl addbr $ BR_IFACE

# And add the interfaces to it

brctl addif $ BR_IFACE $ INET_IFACE

brctl addif $ BR_IFACE $ LAN_IFACE

# Make us visible to the network again (optional)

if ["$ BR_IP"! = ""]; then

ifconfig $ BR_IFACE $ BR_IP

else

# Otherwise we must at least bring the interface up for the bridge to work.

ifconfig $ BR_IFACE up

fi

# Block obvious spoofs

$ IPTABLES-t mangle-A PREROUTING-s 192.168.0.0/16-j DROP

$ IPTABLES-t mangle-A PREROUTING-s 10.0.0.0 / 8-j DROP

$ IPTABLES-t mangle-A PREROUTING-s 172.16.0.0/12-j DROP

# Accept internal packets on the internal i / f

$ IPTABLES-t mangle-A PREROUTING-i $ LAN_IFACE-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT

# Accept external packets on the external i / f

$ IPTABLES-t mangle-A PREROUTING-i $ INET_IFACE!-S $ INTERNAL_ADDRESS_RANGE-j ACCEPT

#

# Accept the packets we actually want to forward

#

$ IPTABLES-A FORWARD-p ALL-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT

$ IPTABLES-A FORWARD-m state - state ESTABLISHED, RELATED-j ACCEPT

$ IPTABLES-A FORWARD-m limit - limit 3/minute - limit-burst 3-j LOG - log-level 7 - log-prefix "IPT FORWARD packet died:"

#

# Create separate chains for ICMP, TCP and UDP to traverse

#

$ IPTABLES-N icmp_packets

#

# ICMP rules

#

$ IPTABLES-A icmp_packets-p ICMP-s 0 / 0 - icmp-type 0-j ACCEPT # echo reply

$ IPTABLES-A icmp_packets-p ICMP-s 0 / 0 - icmp-type 3-j ACCEPT # dest unreachable

$ IPTABLES-A icmp_packets-p ICMP-s 0 / 0 - icmp-type 5-j ACCEPT # redirect

$ IPTABLES-A icmp_packets-p ICMP-s 0 / 0 - icmp-type 11-j ACCEPT # time exceeded

$ IPTABLES-A FORWARD-p ICMP-j icmp_packets

#

# UDP ports

#

$ IPTABLES-N udpincoming_packets

$ IPTABLES-A udpincoming_packets-p UDP-s 0 / 0 - source-port 53-j ACCEPT # DNS

$ IPTABLES-A udpincoming_packets-p UDP-s 0 / 0 - source-port 123-j ACCEPT # ntp

# $ IPTABLES-A udpincoming_packets-p UDP-s 0 / 0 - source-port 2074-j ACCEPT # speakfreely

# $ IPTABLES-A udpincoming_packets-p UDP-s 0 / 0 - source-port 4000-j ACCEPT # icq

$ IPTABLES-A FORWARD-p UDP-j udpincoming_packets

#

$ IPTABLES-N tcp_packets

#

# The allowed chain for TCP connections

#

$ IPTABLES-N allowed

$ IPTABLES-A allowed-p TCP - syn-j ACCEPT

$ IPTABLES-A allowed-p TCP-m state - state ESTABLISHED, RELATED-j ACCEPT

$ IPTABLES-A allowed-p TCP-j DROP

# TCP rules

#

#

# Bad TCP packets we don't want

#

$ IPTABLES-A tcp_packets-p tcp! - Syn-m state - state NEW-j LOG - log-prefix "New not syn:"

$ IPTABLES-A tcp_packets-p tcp! - Syn-m state - state NEW-j DROP

$ IPTABLES-A tcp_packets-p TCP-s 0 / 0-d springfield.sparkle-cc.co.uk - dport 80-j allowed # smtp

$ IPTABLES-A tcp_packets-p TCP-s 0 / 0-d lisa.sparkle-cc.co.uk - dport 6346-j allowed # gnutella

$ IPTABLES-A tcp_packets-p TCP-s 0 / 0-d springfield.sparkle-cc.co.uk - dport 25-j allowed # smtp

$ IPTABLES-A FORWARD-p TCP-j tcp_packets

#

# Input to the firewall itself. Leave these out if you don't want the firewall

# To be visible on the network at all.

# Note that the PREROUTING restrictions above mean that only packets form inside

# The firewall can fulfill the source condition. So the firewall machine should not be

# Visible to the internet.

#

$ IPTABLES-A INPUT-p ALL-i $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ LAN_BCAST_ADDRESS-j ACCEPT

$ IPTABLES-A INPUT-p ALL-i $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ BR_IP-j ACCEPT

# But you * will * need this

$ IPTABLES-A INPUT-p ALL-i $ LO_IFACE-d $ LO_IP-j ACCEPT

$ IPTABLES-A INPUT-m limit - limit 3/minute - limit-burst 3-j LOG - log-level 7 - log-prefix "IPT INPUT packet died:"

#

# OUTPUT chain

#

$ IPTABLES-A OUTPUT-p tcp! - Syn-m state - state NEW-j LOG - log-prefix "New not syn:"

$ IPTABLES-A OUTPUT-p tcp! - Syn-m state - state NEW-j DROP

$ IPTABLES-A OUTPUT-p ALL-s $ LO_IP-j ACCEPT

$ IPTABLES-A OUTPUT-p ALL-s $ BR_IP-j ACCEPT

$ IPTABLES-A OUTPUT-m limit - limit 3/minute - limit-burst 3-j LOG - log-level 7 - log-prefix "IPT OUTPUT packet died:"

Here's sample firewall scripts similar to the traditional firewall settings, extract the Oskar Andreasson's iptables tutorial

Basic firewall policy is:

1. To prevent possible IP address of the packet.

2. To allow all inside the firewall to the outside with the connection.

3. To allow the connection is internal to the external data into the internal network the reverse.

4. To allow external connections to a particular host-specific port.

Variable definitions

To ensure the clarity and maintainability, define some interface name and IP address as the variable is a good idea. These examples use the following data:

BR_IP = "xxx.xxx.xxx.57"

BR_IFACE = br0

LAN_BCAST_ADDRESS = "xxx.xxx.xxx.63"

INTERNAL_ADDRESS_RANGE = "xxx.xxx.xxx.56/29"

INET_IFACE = "eth1"

LAN_IFACE = "eth0"

LO_IFACE = "lo"

LO_IP = "127.0.0.1"

"Xxx.xxx.xxx" said Network IP of the first three fields. $ INTERNAL_ADDRESS_RANGE said the internal network IP range.

Set up a bridge device

To set up a bridge, we need to do some work. First, we need to close the network interface and remove its IP settings:

ifdown $ INET_IFACE

ifdown $ LAN_IFACE

ifconfig $ INET_IFACE 0.0.0.0

ifconfig $ LAN_IFACE 0.0.0.0

If you just telnet or ssh session, through the implementation of these orders, it is not enough and should go to the host console to operate. Next we create a bridge device, and assign an Ethernet interface:

brctl addbr $ BR_IFACE

brctl addif $ BR_IFACE $ INET_IFACE

brctl addif $ BR_IFACE $ LAN_IFACE

Now we can start bridging device as an internal interface:

ifconfig $ BR_IFACE $ BR_IP

Stop camouflage

We can rule the mangel PREROUTING chain block forged packets. Blocked by here, we also can be captured and transmitted into the packet. We use the mangle PREROUTING, but not the nat PREROUTING NAT table because only the first packet is checked.

The following content to ensure that only has the bank rate is the internal address of the data packets accepted by the internal interfaces:

$ IPTABLES-t mangle-A PREROUTING-i $ LAN_IFACE-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT

The following command to stop the bridge has an internal address of the external interface to receive the packet:

$ IPTABLES-t mangle-A PREROUTING-i $ INET_IFACE!-S $ INTERNAL_ADDRESS_RANGE-j ACCEPT

To access the firewall from internal network

Perhaps you want your firewall is completely transparent to the network, or you may also allow for easy direct connection bridge from the internal network firewall, the following command will only allow connection to the internal network to the firewall. Of course, the actual situation according to their own whether to allow access to bridge the requirements of the firewall is not the same:

$ IPTABLES-A INPUT-p ALL-i $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ LAN_BCAST_ADDRESS-j ACCEPT

$ IPTABLES-A INPUT-p ALL-i $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ BR_IP-j ACCEPT

We have to stop in front of receiver interfaces with and does not match the IP address of the packet.