Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
transparent bridge firewall
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
revresxunil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Sep 2002
Posts: 129
Location: UW Madison

PostPosted: Mon Aug 25, 2003 9:28 pm    Post subject: transparent bridge firewall Reply with quote

If you want a firewall that can be placed -anywhere- on any network, follow this guide.

Heres YOUR situation.

A box is setup with a bridge br0. The network has one full subnet (or more, doesnt matter) of public IP's. The bridge has in (eth0) from the internet and out (eth1) to the network which will all have public ip's.

One thing to remember. You will have to have a DHCP server running inside this network, otherwise assume everyone is statically assigned.

The script below will:

Deny all incoming requests from the internet to the network. Allow all outgoing from the network to the internet.


Then some rules that:

    1) allow ssh connections on x.x.x.y
    2) x.x.x.z is running DNS and needs to be accessed.
    3) The bridge server itself will deny all except for ssh.




1) PreReqs
I am only going to say what you need... so make sure you have them before trying to continue.

First make sure you have your system setup to be able to bridge. A howto on that is at https://forums.gentoo.org/viewtopic.php?t=39102

You will need iptables, iproute, and ebtables diff (for the kernel) http://ebtables.sourceforge.net . Make sure that all netfilter and ebtables options are selected in kernel config->network settings.

2) SET UP BRIDGE

first, edit /etc/conf.d/net:

Code:

iface_eth0="0.0.0.0"
iface_eth1="0.0.0.0"


Everything else in net should be commented out.

now, make sure net.eth0 and net.eth1 are added.

Code:

rc-update add net.eth0 default
rc-update add net.eth1 default


Next, lets make a cool bridge script that we will place in /etc/init.d:

bridge:
Code:

#!/sbin/runscript

depend() {
        use logger dns
        need net
}

start() {
        ebegin "starting bridge br0"
        /sbin/brctl addbr br0
        /sbin/brctl addif br0 eth0
        /sbin/brctl addif br0 eth1
        ifconfig br0 x.x.x.x netmask 255.255.255.0
        route add default gw x.x.x.1 netmask 255.255.255.0
}

stop() {
        ebegin "bringing down br0"
        ifconfig br0 down
}


change x.x.x.x (bridge firewall access ip) and x.x.x.1 (providers gateway) to the correct ip's... might need to change the netmask as well. Save file and

Code:

rc-update add bridge default


either reboot, or run the 3 scripts from /etc/init.d to get the bridge going. Give it 10-30 seconds before it situates the bridge.

3) Setup a iptables script.

I called my script iptables.sh:

Code:

# Clear old tables
iptables -F
iptables -X

# Connection tracking
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# What to allow on the gentoo server.
## Right now, we are ONLY allowing SSH through.
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT

# allow all outbound traffic
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#####################################
## HERES WHERE YOU WILL EDIT THINGS##
#####################################

# SERVICES ALLOWED
## -A append -p protocol -d destination -dport destination port -j accept/reject
#iptables -A FORWARD -p tcp -d x.x.x.y --dport 22 -j ACCEPT
#iptables -A FORWARD -p tcp -d x.x.x.z --dport 53 -j ACCEPT
#iptables -A FORWARD -p udp -d x.x.x.z --dport 53 -j ACCEPT

####################################
##   THATS ALL YOU NEED TO EDIT   ##
####################################

# Allow pinging
iptables -A FORWARD -p icmp -i eth0 -o eth1 -j ACCEPT

# Reject everything else
## gentoo server specific
iptables -A INPUT -i eth0 -j REJECT
## Bridge specific
iptables -A FORWARD -i eth0 -j REJECT

# restart service.
/etc/init.d/iptables save
/etc/init.d/iptables restart


chmod iptables.sh 755, and run. enjoy.

Thanks goes to blindsight from www.linuxquestions.org for the iptables help and carambola5 here at the gentoo community for the bridge howto.


Last edited by revresxunil on Mon Nov 17, 2003 3:08 pm; edited 8 times in total
Back to top
View user's profile Send private message
puddpunk
l33t
l33t


Joined: 20 Jul 2002
Posts: 681
Location: New Zealand

PostPosted: Mon Aug 25, 2003 10:08 pm    Post subject: Reply with quote

What are the advantages of running a bridging server as opposed to a NAT server?

I have an internal network of 90.0.0.x (i.e. non-routable internet traffic). Can I use bridging? Is it faster?

Thanks,
Chris.
Back to top
View user's profile Send private message
revresxunil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Sep 2002
Posts: 129
Location: UW Madison

PostPosted: Tue Aug 26, 2003 2:02 pm    Post subject: Reply with quote

Updated with senario
Back to top
View user's profile Send private message
soulwarrior
Guru
Guru


Joined: 21 Oct 2002
Posts: 331

PostPosted: Wed Oct 29, 2003 3:37 pm    Post subject: Reply with quote

Does there by chance exist a livecd from gentoo or maybe a modified Knoppix distribution to setup a bridged firewall?
Back to top
View user's profile Send private message
ozonator
Guru
Guru


Joined: 11 Jun 2003
Posts: 591
Location: Ontario, Canada

PostPosted: Wed Oct 29, 2003 4:35 pm    Post subject: Reply with quote

puddpunk wrote:
What are the advantages of running a bridging server as opposed to a NAT server?

I have an internal network of 90.0.0.x (i.e. non-routable internet traffic). Can I use bridging? Is it faster?


One advantage of a transparent bridging firewall is that it doesn't have any IP addresses of its own. This makes the firewall machine more secure -- such a 'stealth' machine can't be logged into remotely, portscanned, run any potentially vulnerable services, etc.

A transparent bridging firewall can also be useful for dropping into an existing network without having to change the existing addresses of any internal machine, run an additional DHCP server, etc. Such a firewall would be useful for securing the network and/or for network monitoring, while remaining invisible to machines inside or out.

One note about your internal network: 90.0.0.0/24 is not in a range of non-routable addresses, as far as I know. RFC 1918 specifies 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for that.

Final note: if you're curious, this sort of thing has been possible and has worked nicely with a stock, 'right out of the box' OpenBSD installation for a while; there are articles that give an overview, e.g., http://ezine.daemonnews.org/200207/transpfobsd.html and http://cfm.gs.washington.edu/security/firewall/pf-bridge/. It's nice to see this functionality now possible in Linux.
Back to top
View user's profile Send private message
Koon
Retired Dev
Retired Dev


Joined: 10 Dec 2002
Posts: 518

PostPosted: Wed Oct 29, 2003 4:59 pm    Post subject: Reply with quote

puddpunk wrote:
What are the advantages of running a bridging server as opposed to a NAT server?

You can also look at : http://www.securityfocus.com/infocus/1737
Good introduction on the why's anf how's.

Summary :
Bridge firewalls are easier to add to an existing network to filter packets or do QoS.

-K
Back to top
View user's profile Send private message
Koon
Retired Dev
Retired Dev


Joined: 10 Dec 2002
Posts: 518

PostPosted: Wed Oct 29, 2003 5:09 pm    Post subject: Reply with quote

ozonator wrote:
One note about your internal network: 90.0.0.0/24 is not in a range of non-routable addresses, as far as I know. RFC 1918 specifies 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for that.

In fact 88.0.0.0/5 is IANA-reserved, so it's non-routeable. If I am not mistaken 90.0.0.0/24 is included in it.

RFC1918 lists the unrouteable networks you should use, not all non-routeable addresses.

-K
Back to top
View user's profile Send private message
ozonator
Guru
Guru


Joined: 11 Jun 2003
Posts: 591
Location: Ontario, Canada

PostPosted: Wed Oct 29, 2003 5:30 pm    Post subject: Reply with quote

Koon wrote:
ozonator wrote:
One note about your internal network: 90.0.0.0/24 is not in a range of non-routable addresses, as far as I know. RFC 1918 specifies 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for that.

In fact 88.0.0.0/5 is IANA-reserved, so it's non-routeable. If I am not mistaken 90.0.0.0/24 is included in it.

RFC1918 lists the unrouteable networks you should use, not all non-routeable addresses.

-K


Right -- good correction. Clearly there are other reserved address ranges, though those three ranges are the ones specifically designated for private use.

Makes me wonder -- if a network is hidden completely behind a router that does NAT, how much does it matter what address range is used internally? Yes, we ought to use something from the specified ranges, but is there a particular reason, technical or otherwise, why we must? Is it because the router doing NAT might get confused (for want of a better word) if it encountered packets in the same address range both internally and externally? Or is there some other reason beyond being a well-behaved participant in the public internet?
Back to top
View user's profile Send private message
Koon
Retired Dev
Retired Dev


Joined: 10 Dec 2002
Posts: 518

PostPosted: Thu Oct 30, 2003 8:37 am    Post subject: Reply with quote

ozonator wrote:
Makes me wonder -- if a network is hidden completely behind a router that does NAT, how much does it matter what address range is used internally? Yes, we ought to use something from the specified ranges, but is there a particular reason, technical or otherwise, why we must? Is it because the router doing NAT might get confused (for want of a better word) if it encountered packets in the same address range both internally and externally? Or is there some other reason beyond being a well-behaved participant in the public internet?

Support you use a 195.66.0.0/16 network internally, SNAT-ed as 82.40.10.10 on the Internet. When you try to access www.gentoo.org, it's resolved as 195.66.242.4 and it's searched on the local network (and not found), rather than being routed through your gateway towards the Internet.
You can't access any of the Internet addresses from the network you chose anymore. That's why RFC1918 precises typical range of addresses you should use. That's for your own good, not to be kind to others ;)

-K
Back to top
View user's profile Send private message
ozonator
Guru
Guru


Joined: 11 Jun 2003
Posts: 591
Location: Ontario, Canada

PostPosted: Thu Oct 30, 2003 1:05 pm    Post subject: Reply with quote

Koon wrote:
Support you use a 195.66.0.0/16 network internally, SNAT-ed as 82.40.10.10 on the Internet. When you try to access www.gentoo.org, it's resolved as 195.66.242.4 and it's searched on the local network (and not found), rather than being routed through your gateway towards the Internet.
You can't access any of the Internet addresses from the network you chose anymore. That's why RFC1918 precises typical range of addresses you should use. That's for your own good, not to be kind to others ;)

-K


Makes sense; that's much clearer than saying the router would get 'confused'! It's not that I was tempted to use anything other than RFC1918 addresses on internal networks, but it's good to have an explanation of why that's good. Many thanks!
Back to top
View user's profile Send private message
kmasaryk
n00b
n00b


Joined: 23 Mar 2004
Posts: 7
Location: Tempe, Arizona

PostPosted: Wed Mar 31, 2004 5:31 am    Post subject: bridge-nf kernel patch & 2.6 Reply with quote

The bridge-nf kernel patch, which is required for a bridging firewall if you want iptables to see any of the traffic, for kernel 2.4 is included in 2.6 as a config option when you build the kernel - it's part of "ebtables." I've been using it for a while now on the 2.6.3-gentoo-r1 kernel and it's working great.

You still need to emerge iptables and bridge-utils. You'll also need to emerge iproute if you plan on building your firewall policies with Firewall Builder.

Do a search for 'bridging' on the forum and you'll find some good init scripts to bring up the bridge. Here's the one I'm using:

Code:

#!/sbin/runscript
# Copyright 1999-2004 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
#
#  start/stop/status/restart bridge. Note that each net iface which is
#  part of the bridge must be stopped prior to stopping or restarting
#  the bridge.
#
#########################################################################
 
depend() {
   before net.eth0 net.eth1 net.br0
}
 
start() {
   ebegin "Building bridge"
   brctl addbr br0
   brctl addif br0 eth0
   brctl addif br0 eth1
   eend $?
}
 
stop() {
   ebegin "Burning bridge down"
   brctl delif br0 eth0
   brctl delif br0 eth1
   brctl delbr br0
   eend $?
}
 
status() {
   ifconfig br0
   brctl show
}
Back to top
View user's profile Send private message
revresxunil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Sep 2002
Posts: 129
Location: UW Madison

PostPosted: Wed Mar 31, 2004 2:13 pm    Post subject: Reply with quote

Thanks for the heads up.
Back to top
View user's profile Send private message
bernieb
Tux's lil' helper
Tux's lil' helper


Joined: 21 Apr 2003
Posts: 119

PostPosted: Wed Nov 10, 2004 5:29 pm    Post subject: Reply with quote

I'm having some trouble with setting up a bridged firewall. I currently have a NAT firewall setup, but I am hoping to move the network to routable ip addresses that I have at my disposal, which is why I am hoping to change to the bridge firewall so I don't need to worry about routing rules, etc.

Here's my firewall rules set from the NAT firewall:
Code:

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -i $EXTIF -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

#services to the outside world
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

#allow all for inside and loopback
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#for NAT, I expect to remove this line and keep most of the current firewall for routable ip's
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


The problem I have, is that when I first setup the bridge, I can see the outside world fine without any of the firewall or routing enabled, however, once I put up the firewall, all communication to the outside is lost. This never happened without the bridge before, and I am wondering if I forgot a patch or something.

I am using gentoo sources, 2.6.9. I have 802.1d bridging enabled as a module and loaded. I also have ebtables and all its members configured as a module. I loaded ebtables and ebtable_filter modules.
Do I still need the ebtables-brnf patch if ebtables is already in the kernel tree?
Thanks in advance.
Back to top
View user's profile Send private message
lord_ph
Tux's lil' helper
Tux's lil' helper


Joined: 18 Nov 2003
Posts: 97
Location: Portland,OR

PostPosted: Thu Dec 23, 2004 10:07 pm    Post subject: Reply with quote

WOW, this works great!!

Thanks for everything!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum