Implement a bridge firewall
Author: David Whitmarsh Compile: ideal
What is the difference between traditional firewalls and bridge firewalls? Usually a firewall works like a router: The internal system is set to see the firewall as a gateway to the external network, and the external router is set to see the firewall as a gateway to the internal protected network. A bridge is a device coupled to one or more network segments, forwarding data between individual network segments, and other devices in the network do not feel a bridge. In other words, a router connects two networks together, transmitting data between the two; a bridge is more like a network cable, connecting two parts of a network together. A bridge firewall works like a bridge without being discovered by both end devices, but it also has functions that filter through its packets.
Why do you need to realize a bridge firewall? There are generally the following reasons:
You can add a firewall to the network without modifying the parameters of any device in the network. You may want to protect a part of the network and there is no right to control the parameter information of the external route.
I have encountered problems my office is an ADSL to connect to the Demon Internet, and there are 16 IP addresses for subnets available. Because of the special reasons of the British ISP, the lines and routers are installed and owned by the British Telecom, so we have the right to configure external routers to specify who is the gateway of the internal network, so I only have two options:
Connect each host and the ADSL router directly, and independently use iptables to set firewall rules for each host. Another option is to use the NAT function of the firewall to drive internal networks to access the Internet. The first method is unacceptable because this will greatly increase the error and system management overhead. The second method is also advantages and disadvantages, although most applications can be supported by NAT, but there are exceptions, such as video streams and VPNs, etc. A bridge firewall can solve these problems, and the firewall can hold the network between the ADSL router and the internal network, but it does not need to modify the configuration. The last barrier is to completely bypass iptables in the standard Linux kernel, so you can use the bridge or iptables firewall, but cannot use this feature at the same time.
The solution is fortunate, there is a network bridge that supports iptables, so any packets passing through the bridge can be submitted to the iptables rules for filtering processing. As a result, the firewall can be completely transparent to the network, and there is no special routing function. In terms of the Internet, the firewall does not exist, except for a particular connection being blocked. Bridge software is a kernel patch to support existing bridge codes to work together with iptables. Convenient is that developers have produced the kernel of the RPM form of support bridge firewall. But it is inconvenient to be too small related documents, so this article is to help people who wish to realize the bridge firewall.
Bridge and routing - how to work, Linux bridge implementations are generally implemented on devices with one or more network interfaces, which MAC address is learned from the activity of multiple network segments, which MAC address learned from Which interface can be reached, and this information is used to determine whether to relay a packet to another network segment. The bridge interface itself is not assigned an IP address, but the entire bridge is configured as a single interface of the firewall.
As can be seen from the above figure, the data of the destination address for the bridge itself in the bridge requires the filet rule chain of the Filter table and the PREROUTING rule chain of the mangle table; the data issued from the bridge equipment needs to pass the Filter table Output rule chain And the PREROUTING rule chain of the mangle table; the data of the bridge equipment must be subjected to the PREROUTING rule chain of the mangle table and the FORWARD rule chain of the Filter table and the PostRouting rule chain of the mangle table.
Network Topology I assigned the static IP address range to xxx.xxx.xxx.48-63, that is, the subnet mask is 255.255.255.240. I decided to divide the entire IP into two network segments: XX.xxx.xxx.48-56 is used for the firewall, which includes the ADSL router itself IP address (xxx.xxx.xxx.49); xxx.xxx.xxx. 57-62 is used in the firewall. It should be noted that this is not a real subnet division because they have a bridge instead of a router connection. The firewall rules definition is as follows:
#! / bin / sh ## rc.firewall - Initial Simple IP Firewall Test Script for 2.4.x ## Author: David Whitmarsh # (c) 2001, 2002 Sparkle Computer Co Ltd. # based on rc.firewall by Oskar Andreasson
########## Load all required IPTables modules ### Needed to initially load modules # / sbin / depmod -a ## Adds some iptables targets like LOG, REJECT # / sbin / modprobe ipt_LOG / sbin / modprobe ipt_REJECT ## Support for connection tracking of FTP and IRC. # / sbin / modprobe ip_conntrack_ftp / sbin / modprobe ip_conntrack_irc ## Take down the interfaces before setting up the bridge # ifdown $ INET_IFACEifdown $ LAN_IFACEifconfig $ INET_IFACE 0.0.0.0ifconfig $ LAN_IFACE 0.0.0.0 # Clean up for a restart $ IPTABLES -F $ IPTABLES -X ## Set default policies for the INPUT, FORWARD and OUTPUT chains # $ IPTABLES -P INPUT DROP $ IPTABLES -P OUTPUT ACCEPT $ IPTABLES -P FORWARD DROP # Our interfaces don ' t have IP addresses so we have to start with the mangle # PREROUTING table $ IPTABLES -t mangle -P PREROUTING DROP # Now we are pretty secure, let's start the bridge # This will create a new interfacebrctl addbr $ BR_IFACE # and add the interfaces To itbrctl addif $ br_iface $ inet_ifacebrctl addif $ br_iface $ lan_iface # make US visible to the netw ORK AGAIN (OPTIONAL) IF ["$ br_ip"! = ""
thenifconfig $ BR_IFACE $ BR_IPelse # otherwise we must at least bring the interface up for the bridge to work.ifconfig $ BR_IFACE upfi # Block obvious spoofs $ IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP $ IPTABLES - T Mangle -a preording -s 10.0.0.0.0.0.0.0.0.0.0.0.0.0/12 -j drop # Accept Internal Packets on The Internal I / F $ iptables -t mangle -a PREROUTING -i $ LAN_IFACE -s $ INTERNAL_ADDRESS_RANGE -j ACCEPT # Accept external packets on the external i / f $ IPTABLES -t mangle -A PREROUTING -i $ INET_IFACE! -s $ INTERNAL_ADDRESS_RANGE -j ACCEPT ## Accept the packets we actually want To Forward # $ iptables -a forward -p all -s $ INTERNAL_ADDRESS_RANGE -J ACCEPT $ iptables -a forward -m state --state established, Related -j Accept $ iptables -a forward -m limit --Limit 3 / Minute - -LIMIT-BURST 3 -J log --Log-Level 7 --Log-Prefix "pt forward packet died:"
## Create Separate Chains for ICMP, TCP and Udp to Traverse # $ iptables -n icmp_packets ## im r0 # $ iptables -a ICMP_PACKETS -P ICMP -S 0/0 --ICMP-TYPE 0 -J Accept # echo reply $ Iptables -a icmp_packets -p ICMP -S 0/ICMP-TYPE 3 -J Accept # dest unreachable $ iptables -a icmp_packets -p icmp -s 0/0 --ICMP-TYPE 5 -J ACCEPT # Redirect $ iptables -A ICMP_PACKETS -P ICMP -S 0/0 --ICMP-TYPE 11 -J ACCEPT # TIME EXCEED $ iptables -a forward -p icmp -j icmp_packets ## udp ports # $ iptables -n udpincoming_packets $ iptables -a udpincoming_packets - P UDP -S 0/0 --Source-Port 53 -J Accept # DNS $ iptables -a udpincoming_packets -p udp -s 0/0 --source-port 123 -j accept # ntp # $ iptables -a udpincoming_packets -p UDP -S 0/0 - Source-Port 2074 -j Accept # SpeakFreely # $ iptables -a udpincoming_packets -p udp -s 0/0 - Source-Port 4000 -J ACCEPT # ICQ $ iptables -a forward -p UDP -j udpincoming_packets # $ iptables -n tcp_packets ## The allowed chain for TCP Connections # $ iptables -n allowed $ iptables -a allowed -p tcp - SYN -J ACCEPT $ iptables -a allowed -p tcp -m state --state established, Related -j Accept $ iptables -a allowed -p tcp -j droped # TCP rules ### bad tcp packets we don't want # $ Iptables -a tcp_packets -p tcp! --Syn -m State --State New -j log --log-prefix "new not syn:" $ iptables -a tcp_packets -p tcp! --Syn -m state - State new -j drop $ iptables -a tcp_packets -p tcp -s 0/0 -d springfield.sparkle-cc.co.uk --dport 80 -j allowed # SMTP $ iptables -a tcp_packets -p tcp -s 0 / 0 -d lisa.sparkle-cc.co.uk --dport 6346 -j allowed # gnutella $ iptables -a tcp_packets -p tcp -s 0/0 -d Springfield.sparkle-cc.co.uk --dport 25 - J Allowed # SMTP $ iptables -a forward -p tcp -j tcp_packets ## Input to the firewall itself. Leave these out if you don '
t want the firewall # to be visible on the network at all. # Note that the PREROUTING restrictions above mean that only packets form inside # the firewall can fulfill the source condition. So the firewall machine should not be # visible to the internet. # $ IPTABLES -A INPUT -p ALL -i $ BR_IFACE -s $ INTERNAL_ADDRESS_RANGE -d $ LAN_BCAST_ADDRESS -j ACCEPT $ IPTABLES -A INPUT -p ALL -i $ BR_IFACE -s $ INTERNAL_ADDRESS_RANGE -d $ BR_IP -j ACCEPT # But you * Will * NEED THIS $ iptables -a input -p all -i $ lo_iface -d $ lo_ip -j accept $ iptables -a INPUT -M LIMIT --LIMIT 3 / Minute --Limit-Burst 3 -j log --LOG- Level 7 --Log-Prefix "IPT Input Packet Died:" ## Output Chain # $ iptables -a output -p tcp! --syn -m state --state new -j log --log-prefix "New Not SYN : "$ Iptables -a output -p tcp! --Syn -m State --State New -j Drop $ iptables -a output -p all -s $ ip_ip -j account -pt $ iptables -a output -p all -s $ ip BR_IP -J ACCEPT $ iptables -a output -m limited --LIMIT 3 / Minute --Limit-Burst 3 -j log --Log-Level 7 --Log-Prefix "ipt OU TPUT Packet Died: "The sample firewall script here is similar to the traditional firewall settings, extracted in the Oskar Andreasson's Iptables Tutorial Basic Firewall Policy:
Blocking the packet of an impossible IP address. Allows all firewalls to an external connection. Reverse data that is included in the interior to the external connection enters the internal network. Allows the external connection to a specific port of a particular host.
Variables Definition To ensure clarity and maintainability, define some interface names and IP addresses as variables are very good. The following data is used in the example:
Br_ip = "xxx.xxx.xxx.57"
Br_iface = BR0
LAN_BCAST_ADDRESS = "xxx.xxx.xxx.63"
INTERNAL_ADDRESS_RANGE = "xxx.xxx.xxx.56 / 29"
INET_IFACE = "Eth1"
LAN_IFACE = "Eth0"
LO_IFACE = "LO"
LO_IP = "127.0.0.1"
"xxx.xxx.xxx" represents the top three fields of the network IP. $ INTERNAL_ADDRESS_RANGE indicates the IP range of the internal network.
To set up a bridge to set up a bridge, we need to do some of the following work. First we need to turn off the network interface and remove its IP settings:
IFDown $ inet_iface
IFDown $ lan_iface
Ifconfig $ inet_iface 0.0.0.0.0.0.0 If you execute these commands through the Telnet or SSH session, it is not possible to go to the host's console. Next we create a bridge device and specify an Ethernet interface:
Brctl addbr $ br_iface
Brctl Addif $ Br_iface $ inet_iface
BrCTL AddiF $ br_iface $ lan_iface Now we can start the bridging device as an internal interface:
IFConfig $ Br_iface $ br_ip
Block disguise we can block forged packets in the Manac PREROUTING Rules chain. By blocking here, we can also capture inflows and forward packets. We use Mangle PREROUTING instead of NAT PREROUTING because only the first packet is checked in the NAT table.
The following content ensures that only the packet with the river bank score internal address is accepted by the internal interface:
$ Iptables -t mangle -a preloading -i $ lan_iface -s $ interface_address_range -j accept The following command blocks the bridge external interface to receive a packet with internal address:
$ Iptables -t mangle -a preloading -i $ inet_iface! -S $ interface_address_range -j accept
Accessing the firewall from the internal network Maybe you want your firewall to be completely transparent to the network, or you may also access the bridge firewall directly from the internal network, the following commands will only allow the internal network to the firewall connection. Of course, based on your own actual situation, whether it allows access to the bridge firewall:
$ Iptables -a input -p all -i $ br_iface -s $ inload_address_range -d $ lan_bcast_address -j acidpt
$ Iptables -a input -p all -i $ br_iface -s $ interface_address_range -d $ br_ip -j accept In front of us, we have prevented the packet with the IP address that does not match the interface.
More information
The kernel patches, no iptables will not be used with bridge equipment.
Oskar Andreasson's IPTables Getting Started Tutorial is a recommended reading.
Rusty's RemarkAbly Unreliable Guides discusses some background information of package filtration and networking.
Sparkle Home Page (Author)
