Create a bridge firewall using Linux

Create a bridge firewall using Linux

Author: Henry Stilmack <

HPS@shangri-la.cx>

Original source:

Http://www2.linuxjournal.com/articles/misc/0041.html

Translation: Ideal <

Ideal@linuxaid.com.cn>

The Joint Astronomy Center has two astronomical telescope on the 14,000-foot mountain top of Manu KEA in Hawaii, also has its own office and other facilities in Hilo, which is connected to the Internet through Hawaii University, Hawaii University Three subnets are assigned to the Astronomy Center within the Scope of the B-class IP address. The network security of the previous Astronomy Center is implemented by the ACL (Access Control List) of the exit router together with the host access control (TCPWrapPers) of the SOLORIS or Linux system. Recently, a major British Fund Foundation in Astronomical Center has highly recommended installation of firewalls to enhance the security of our network after a review. After researching several commercial and free firewall products, they found that they need to be re-allocated to the three different subnet addresses of the internal network, assigned to the internal address of 192.168. The internal network has more than 200 nodes on three subnets, and some embedded microprocessor systems need to resume EEPROM to implement IP transformations, which is a very troublesome and intebrises. Therefore, it is starting to find transparent firewall solutions, which can maintain the original address assignment, and implement protection for internal networks.

Linux 2.2 or higher is supported by Ethernet bridge. After an interface of a bridge receives the datagram, by checking the destination MAC address, it is forwarded to another interface without checking the source or destination IP address. A French company named AC2i issued a kernel patch to implement datagram filtration using IPChains on the interface of the bridge. This solution enables transparent firewalls, while ensuring that the internal network provides upper protection and access control. Let's discuss how to set up a bridge firewall.

Hardware Configuration

In order to achieve efficient firewall and network detection, the system CPU must be strong enough and fast. The system is located on a Celeron CPU system with 256M memory and 500MHz. Test the display bridge can meet the speed requirements of a 10M Ethernet without packet loss. The system requires three network cards, two of whom supports the implementation of the bridge, and the other is used to implement the management of the firewall.

Disk capacity is not very important, but all LOG information should be saved. If you want to maintain some local logging (for some configuration and detection tools), you need to make sure you have enough free space - firewalls and intrusion detection records are often very large.

Install Linux

The following discussion is based on the Linux2.2.16 (RedHat7.0) version core. If you use the 2.4 core, iptables will replace ipchains to implement kernel firewalls.

First, standard Linux installations, but basically do not select any application packages, even XINET / INETD, because no service is required on the system. Do not install compilation / development tools, because if the system is broken, the intruder is not so easy to compile any program. But you need to install Perl (some reporting tools are required) and OpenSSH (for remote management). Make sure to install the IPChains package - this is necessary for firewall settings. A web browser may be useful. If you only receive the time update from the internal network, then the NTP is installed, there will be no more harm. You can choose to install certain X11 applications, TCPWrapper, and some network monitoring packages (WHOIS, Finger, TCPDUMP, TRACEROUTE, NC, etc.). Create a non-root account and use the account to log in.

When installing, just configure a primary Ethernet interface - the interface will be a node that is protected from the network - configuring a fixed network address for it. At this point it should be connected to an empty HUB, and will then It is connected to the network. When the system is installed and restarted, type Linux Single when the LILO boot system is booted in a single user mode, edit /etc/hosts.allow to only allow the manager to connect to the system through SSH, and then restart according to normal mode Boot enter the system. Then connect the main Ethernet interface to the internal network. Create the kernel supporting the bridge mode

According to the basic kernel compilation step, only the most option switches are needed, but only open some must-have kernel compilation switches.

Enter the / usr / src directory, copy the kernel source code to a newly created Linux-fw directory:

# CD / usr / src; mkdir Linux-fw; cp -r Linux-2.2.16 ./linux-fw # RM Linux; ln -s ./linux-fw Linux

Hit Linux_BRFW2 patch for Linux source code, which adds a default rule chain called Bridgein to ipchains. This chain will be used to store a bridge firewall rule, but the rules in this rule chain can only use the Accept or Deny target, which is meaningless to use Reject and Masq. This patch can be obtained from http://ac2i.tzo.com/bridge_filter/. # patch -p0

Enter / usr / src / linux directory, configure the kernel (This assumes you already have experience of compiling the kernel), and a bridge firewall configuration options related to the switch: CONFIG_MODVERSIONS = NCONFIG_FIREWALL = YCONFIG_FILTER = YCONFIG_IP_FIREWALL = YCONFIG_IP_FIREWALL_NETLINK = YCONFIG_IP_ROUTE_FWMARK = YCONFIG_BRIDGE = Y

Then compile the kernel:

# Make Dep; make clean; make install uses a newly generated kernel boot system.

Set the bridge

Log in into the firewall system, assuming that use ETH0 as a management interface, ifconfig -a will display the system interface:

BRG0 LINK ENCAP: Ethernet Hwaddr Fe: FD: 04: E0: 13: B5

Broadcast Multicast MUTU: 1500 Metric: 1

RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 frame: 0

TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0

Collisions: 0 TXQuelelen: 0

Eth0 Link Encap: Ethernet Hwaddr 00:90: 27: B3: 17: 5C

inet addr: nnn.nnn.nn.253 bcast: nnn.nnn.nn.255 Mask: 255.255.255.0

Up Broadcast Running Multicast MUNTU: 1500 metric: 1

RX Packets: 2242346 Errors: 0 Dropped: 0 overruns: 0 frame: 0

Tx Packets: 3616430 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0

Collisions: 589902 TXQUEUELEN: 100

Interrupt: 9 Base Address: 0xDe80

Eth1 Link Encap: Ethernet Hwaddr 00: 01: 02: CD: 55: 38Broadcast Running Multicast MTU: 1500 Metric: 1

RX Packets: 65714 Errors: 0 Dropped: 0 overruns: 0 frame: 0

TX Packets: 1832954 Errors: 0 Dropped: 0 Overruns: 0 Carrier: 1

Collisions: 500 TXQuelelen: 100

Interrupt: 10 Base Address: 0xDC00

Eth2 Link Encap: Ethernet Hwaddr 00: 01: 02: C1: 14: F1

Broadcast Running Multicast MTU: 1500 Metric: 1

RX Packets: 2011596 Errors: 0 Dropped: 0 overruns: 0 frame: 0

TX Packets: 238126 Errors: 0 Dropped: 0 overruns: 0 Carrier: 2

Collisions: 666 TXQUEUELEN: 100

Interrupt: 11 Base Address: 0xD880

Lo Link Encap: Local Loopback

INET Addr: 127.0.0.1 Mask: 255.0.0.0

Up loopback running mtu: 3924 metric: 1

RX Packets: 1676447 Errors: 0 Dropped: 0 overruns: 0 frame: 0

TX Packets: 1676447 Errors: 0 Dropped: 0 overruns: 0 Carrier: 0

Collisions: 0 TXQuelelen: 0

In order to make the bridge work, you need to install the BRCFG application. You can get the source code from the LINUX router project address of the Matthew Grant's Linux Router Project Http://lp. Compile generation binary executable, and copy it to / usr / sbin / brcfg, then execute the following command to start the bridge start:

# i10fig eth1 promisc up # ifconfig eth2 promisc up # brcfg start # brcfg device eth1 enable # brcfg device eth2 enable

After a few minutes, when the bridge learned the MAC address range of the two-end network, it will be able to transparently forward the datagram between two NICs.

Firewall configuration

The firewall itself is implemented by the ipchains package, the above kernel patch adds a new default rule chain -bridgein, which acts on the data reported by the interface that acts as a bridge. Since this chain belongs to the input chain, each rule must specify an interface, which is the data report to enter the system. The default rules of each chain are set to Accept, and multiple rules are added to the Bridgein chain to implement access policies. The last rule should be DENY to limit the data report that is not clearly specified.

The access policy of the firewall is designed to apply to the following network topology:

The highlight of this design is:

All public servers (HTTPD, FTP, SMTP, SSH) are outside firewalls; all data flows from Internet to internal networks pass through firewall; not limited to data flow from protected internal networks to public servers; internal protected The network to the Internet is allowed; the data streams from the public server to protected internal networks have been limited, and only those active service data is allowed to pass (output to NFS to internal networks, from public The mail server to the internal network SMTP data, SSH); the data connection that is initiated from the Internet to the internal network is disabled. Below is a script that generates IPCHIANS rules in accordance with the principles of the above: Listing 2. Annotated Script for Bridge FireWall Setup

#! / bin / sh

######################################################################################################################################################################################################################################################################################################## ###################

# FireWall.sh - Set up ipchains rules for a bridging firewall

#

# CopyRight (C) 2000 UK / Canada / Netherlands Joint Astronomy CENTRE

#

# Permission To Use, Copy, Modify, Distribute,

# and sell this software and its documentation

# for any purpose is hereby granted without fee,

# Provinced That The Above Copyright Notice APPEAR

# in all copies and that Both That Copyright Notice

# and this permission Notice APPEAR in

# supporting documentation, and this the name

# Joint Astronomy Center Not

# be used in advertising or publicity pertaining

# to distribution of this

# Software without Specific, Written Prior

# permission.

#

# This software is provided `as-is'. The Joint

# AstronomY Center Disclaims

# All Warranties with regard to this

# Software, Including Without

# Ivitation all import Warranties of

# Merchantability, Fitness for a

# Particular purpose, or noninfringement.

# In no Event shall the Joint

# Astronomy Center Be Liable for Any Damages

# Whatsoever, Including Special,

# Incidental or Consesequential Damages,

# Including loss of use, data, or

# Profits, Even if advised of the

# PSibility thereof, and regardless of

# WHETHER in an action in contract,

# Tort or NEGLIGENCE, ARISING OUT OF # or in Connection with the use or

# Performance of this Software.

#

# (There. That Should Satisfy The Lawyers.

# In plain english, here's the

# Software. Do Whatever you want with it.

# If anything breaks, it's your y

# Fault and your problem. don't come

# Crying to us. We're not paying

# anyone for anything.)

######################################################################################################################################################################################################################################################################################################## #####################

Ipchains = / sbin / ipchains

###########################################

# Definitions

###########################################

FireWallHost = n.n.n.n / 32 # edit - your firewall

# Address here

mynet = "" # Edit - Your Network / Mask

# here

Any = "0.0.0.0/0"

Localhost = "127.0.0.1/32"

EXT_IF = Eth2 # Edit - this is the

# Interface Which Will

# Connect to the Internet

INT_IF = Eth1 # Edit - this is the

# Interface Which Will

#connect to yourr

# protected network

########################################################################

# Public (Outside the firewall) Servers

########################################################################

WWW_SERVER = # Edit - Address of Your

# public WWW server

FTP_SERVER = # Edit - Address of Your

# 公lic ftp server

SMTP_SERVER = # Edit - Address of Your

# public mail server

INTERNAL_SMTP = # Edit - Address of Your

# Internal mail hub

SSH_SERVER = # Edit - Address of Your

# public login (SSH) Server

NNTP_SERVER = # Edit - Address of Your

# UPSTREAM News Server

INTERNAL_NTP = # Edit - Address of Your

# Internal NTP Server

###########################################

# Set default policies

##################### $ ipchains -p input accept accept

$ Ipchains -p forward accept

$ Ipchains -p output accept

###########################################

# Flush any Old Rules

###########################################

$ Ipchains -f

###########################################

# Create 2 new chains

###########################################

$ Ipchains -n public

$ Ipchains -n private

# Since this is a bridge, not a router,

# You really don't Need any of these

# input rules

# Forward Rules

# Output Rules

###########################################

# Bridge Chain - Pass Packets to Appropriate

# Chain based on their input

# Interface

###########################################

# Bridgein Rules

$ Ipchains -a bridgein -s $ mynet -d $ any -i $ int_if -j private

$ Ipchains -a bridgein -s $ any -d $ mynet -i $ ext_if -j public

# De Nenything not explicitly matched in one of the other chains

$ Ipchains -a bridgein -p tcp -s $ any -d $ any -j deny -l

$ Ipchains -a bridgein -s $ any -d $ any -j deny -l

###########################################

# "Public" rules - these Control Who / What Gets To

# Talk THROUGH THE

# FireWall from the Internet

# To your protected network

#

# THESE ARE EXAMPLES - MODIFY To Suit your OWN

# Security Needs

###########################################

# public rules

# Icmp - allow echo-request from the "public"

# Servers Back in To the

# 内内 Net. do we need this? in Any Case,

#block all echo-request

# packets from anyone else. don't bother to

# Log ping attempts.

# Allow some of the other uSEful ICMP Messages

$ Ipchains -a public -p icmp -s $ mynet 8 -d $ mynet -i $ ext_if -j accept

$ Ipchains -a public -p ICMP-$ ANY 8 -D $ mynet -i $ ext_if -j deny # icmp - allow echo-reply from anyone, so we can ping out.

$ Ipchains -a public -p ICMP -S $ mynet 0 -d $ mynet -i $ ext_if -j accept

# ICMP - Allow Destination-Unreachable

$ Ipchains -a public -p ICMP -S $ ANY 3 -D $ mynet -i $ ext_if -j accept

# Icmp - allow source-quench

$ Ipchains -a public -p ICMP -S $ ANY 4 -D $ mynet -i $ ext_if -j acid

# Icmp - allow time-exceeded

$ Ipchains -a public -p icmp -s $ any 11 -d $ mynet -i $ ext_if -j accept

# ICMP - Allow Parameter-Problem

$ Ipchains -a public -p ICMP -S $ ANY 12 -D $ mynet -i $ ext_if -j accept

###################################################################

# Services

###################################################################

# Ssh - assumes you have a machine on the outside

# of the firewall to which

# Uses Can login via ssh, then, overce

# Authenticated, Connect To

# any of the protected hosts

$ Ipchains -a public -p tcp -s $ ssh_server -d $ mynet ssh -i $ ext_if -j acceptpt

# Allow replies from any ssh server anywhere

# back in - Only if Syn Not Set

$ Ipchains -a public -p tcp -s $ any ssh -d $ mynet -i $ ext_if -j accept! -Y

###################################################################

# Telnet - Allow Replies from Telnet Servers

# back in - Only if Syn Not Set

$ Ipchains -a public -p tcp -s $ any telnet -d $ mynet -i $ ext_if -j accept! -Y

###################################################################

# Www - allow replies from standard http / https

# Servers - Only if Syn Not Set

$ Ipchains -a public -p tcp -s $ any www -d $ mynet -i $ ext_if -j accept! -Y

$ Ipchains -a public -p tcp-$ any https -d $ mynet -i $ ext_if -j accept! -Y

###################################################################

# Ftp - allow replies from External FTP Servers

# - Only if SYN NOT $ ipchains -a public -p tcp -s $ any ftp -d $ mynet -i $ ext_if -j accept! -y

$ Ipchains -a public -p tcp -s $ any ftp-data -d $ mynet -i $ ext_if -j accept! -Y

###################################################################

# SMTP - ONLY Allow incoming email from the

# "public" Server to the Internal Hub

$ Ipchains -a public -p tcp -s $ smtp_server -d $ interface_smtp SMTP -I $ ext_if -j acceptpt

$ Ipchains -a public -p tcp -s $ smtp_server SMTP -D $ INTERNAL_SMTP -I $ ext_if -j accept! -Y

###################################################################

# Whois - Allow Replies from ANY Whois Server

$ Ipchains -a public -p tcp-$ any whois -d $ mynet 1024: 65535 -i $ ext_if -j accept! -Y

###################################################################

# Finger - Allow Replies from ANY Finger Server

$ Ipchains -a public -p tcp -s $ any finger -d $ mynet 1024: 65535 -i $ ext_if -j accept! -Y

###################################################################

# Auth - Allow Ident Replies

$ Ipchains -a public -p tcp - $ any auth -d $ mynet 1024: 65535 -i $ ext_if -j accept! -Y

###################################################################

# News - Allow Replies from the NNTP Server

$ Ipchains -a public -p tcp -s $ nntp_server nntp -d $ mynet 1024: 65535 -i $ ext_if -j accept! -Y

###################################################################

# NTP - Let Your Internal NTP Server SYNCHRONIZE

# with a clock somewhere.

# For better security, Specify THE EXTERNAL

# Ntp servers.

$ Ipchains -a public -p UDP-$ any NTP -D $ INTERNAL_NTP NTP -I $ EXT_IF -J ACCEPT

###################################################################

# DNS - ALLOW DNS Replies Back in

$ Ipchains -a public -p udp-$ any domain -d $ mynet 1024: 65535 -i $ ext_if -j accept

$ Ipchains -a public -p tcp -s $ any domain -d $ mynet 1024: 65535 -i $ ext_if -j accept! -Y

#######################################################################################################

# The "public" servers.

# Do we need this?

$ Ipchains -a public -p tcp -s $ mynet 2049 -d $ mynet -i $ ext_if -j acid

$ Ipchains -a public -p tcp -s $ mynet -d $ mynet 2049 -i $ ext_if -j accept

###################################################################

# RPC - Let the "public" Servers Contact the

# Portmapper on Internal Hosts.

# Do we need this?

$ Ipchains -a public -p udp -s $ mynet 0: 1023 -d $ mynet sunrpc -i $ ext_if -j acceptpt

###################################################################

# Udp - Allow General UDP Traffic Between

# "public" and "protected" Hosts.

# Do we need this?

$ Ipchains -a public -p udp -s $ mynet 0: 1023 -d $ mynet -i $ ext_if -j accept

$ Ipchains -a public -p udp -s $ mynet 1024: 65535 -d $ mynet -i $ ext_if -j acceptpt

###################################################################

# ESTABLISHED Connections from unprivileged ports

$ Ipchains -a public -p tcp - $ any 1024: 65535 -d $ mynet -i $ ext_if -j accept! -Y

# Deny (and log!) Everything NOT Explicitly Allowed

$ Ipchains -a public -s $ any -d $ any -i $ ext_if -j deny -l

###############################################################

# "Private" Rules - Thase Control Which INTERNAL

# Hosts Can Talk Through The THE

# Firewall, and to whom

#

# In MOST CASES, THESE SHOLD BE FAIRLY LIBERAL.

###############################################################

#private rules

###############################################################

# Icmp - allow echo replies back out to the

# "public" Servers, AS Well AS

# allowing some of the more useful

# Messages Back Out to anyone.

$ Ipchains -a private -p icmp -s $ mynet 0 -d $ mynet -i $ int_if -j acceptpt

# Icmp - allow echo-request

$ Ipchains -a private -p icmp -s $ mynet 8 -d $ iCMP - Allow Destination-Unreachable

$ Ipchains -a private -p iCMP -S $ mynet 3 -d $ any -i $ int_if -j accept

# Icmp - allow source-quench

$ Ipchains -a private -p icmp -s $ mynet 4 -d $ any -i $ int_if -j acceptpt

# Icmp - allow time-exceeded

$ Ipchains -a private -p icmp -s $ mynet 11 -d $ any -i $ int_if -j accept

# ICMP - Allow Parameter-Problem

$ Ipchains -a private -p icmp -s $ mynet 12 -d $ any -i $ int_if -j accept

###############################################################

# Services

###############################################################

# SMTP - Restrict SMTP To Only Between

# The "public" Server and The Internal

# mailhub. log any unauthorized Attempts

$ Ipchains -a private -p tcp -s $ interface_smtp -d $ SMTP_SERVER SMTP -I $ INT_IF -J ACCEPT

$ Ipchains -a private -p tcp -s $ mynet -d $ any smtp -i $ int_if -j deny -l

###################################################

# Pretty Much Allow Anything Else.

$ Ipchains -a private -p tcp -s $ mynet 0: 1023 -d $ any -i $ int_if -j acceptpt

$ Ipchains -a private -p tcp -s $ mynet 1024: 65535 -d $ any -i $ int_if -j acidpt

$ Ipchains -a private -p udp -s $ mynet 0: 1023 -d $ any -i $ int_if -j accept

$ Ipchains -a private -p udp -s $ mynet 1024: 65535 -d $ any -i $ int_if -j acid

If you want more to know how to define ipchains rules, please refer to Ipchains Howto:

http://www.redhat.com/mirrors/ldp/howto/ipchains-howto.html. Other Tools

A useful tool for the firewall system is the Snort's Intrusion Detection System (IDS), Snort is to detect common network intrusion by defining a datagram filtering rule set. With the emergence of new intrusion, Snort's rule library is constantly updated, and SNORT can be configured to send alarm to the log file, or notify the administrator by means of email. It can even be configured to automatically add blocking rules to find intrusion behavior to prevent invasion further, although this property is not perfect. Snort and some related scripts can be obtained at http://www.snort.org/. GFCC is a very good graphical way to view and modify the tools for firewall rules. This tool can be downloaded in Icarus.autostock.co.kr.

Start configuration

Bridges and firewalls should start immediately after the system's network part, the following scripts will be used to start the firewall, set, and start the bridge, and finally start SNORT. This assumes that the above firewall script is defined in / etc / firewall. This script should be installed in /etc/rc.d/init.d/bridge. After installing this script, run the ChkConfig Bridge ON to install the appropriate run level link. Listing 3. Script for Starting The FireWall #! / Bin / bash

#

# Bridge this shell Script Takes Care of Installing Bridge for DSL

#

# Description: Uses brcfg to start bridging and ifconfigs Eths

# ProcessName: Bridge

# config:

# Source Function Library.

. /etc/rc.d/init.d/functions

# Source NetWorking Configuration.

. / etc / sysconfig / network

# See how wee wee caled.

Case "$ 1" in

START)

echo -n "configuring firewall rules:"

/ ETC / FireWall

echo

echo -n "configuring bridge:"

IFConfig Eth1 promisc up

IFConfig Eth2 promisc up

Brcfg start

Brcfg Device Eth1 Enable

BRCFG Device Eth2 Enable

echo

echo "Starting Snort:"

/ usr / local / bin / snort -c / usr / local / etc / snort / snort-lib -s -i eth2 -d

echo

;

STOP)

# Stop daemons.

BRCFG Stop

Ifconfig Eth1 -Promisc Down

IFConfig Eth2 -Promisc Down

;

RESTART)

$ 0 STOP

$ 0 Start

;

STATUS

Brcfg

;

*)

echo "Usage: Bridge {start | stop | restart | status}"

EXIT 1

ESAC

EXIT 0

Uses

application

A package filter bridge is very useful in many cases. It is a fast and easy-to-implement method that implements a firewall to add a firewall in an existing network without modifying network addresses or using NAT. It can also be used to create protected or restricted subnets on a local area. And because the bridge interface has no IP address and does not run any IP protocol stack, many common intrusion attacks and DOS attacks do not threaten it.