Implement a bridge Firewall

What are the differences between traditional firewalls and websocket firewalls? Usually a firewall works like a router: the internal system is set to regard the firewall as a gateway to the external network, in addition, the external router is set to regard the firewall as a gateway connecting to the internally protected network. A bridge is a device that connects one or more network segments and forwards data between different network segments. Other devices in the network do not feel the existence of a bridge.

In other words, a vro connects two networks and transmits data between them. A bridge is more like a network cable that connects two parts of a network. A bridge firewall works like a bridge without being discovered by devices at both ends, but it also has the function of filtering data packets through it.

Why does it need to implement a bridge-based firewall? Generally there are the following:Cause:

* You can add a firewall in the network without modifying the parameters of any devices in the network.
* You may want to protect a part of the network but have no right to control the parameter information of the external route.

Problems I encountered

In my office, an ADSL instance is connected to the Demon Internet, and a subnet with 16 IP addresses is available. Due to the special reason of British ISP, the lines and routers are installed and owned by Bt, so we have the right to configure external routers to specify who is the gateway of the internal network, in this way, I only have two options:

* Connect each host directly to the ADSL Router, and use iptables To Set firewall rules for each host independently.
* Another option is to use the NAT firewall to drive internal network access to the Internet.

The first method is unacceptable because it will greatly increase errors and system management overhead. The second method also has advantages and disadvantages. Although most applications can be supported by NAT, there are also exceptions, such as video streams and VPN. A bridge firewall can solve these problems. The firewall can be deployed between the ADSL Router and the internal network to protect the network, but the configuration does not need to be modified at the same time. The last obstacle is that iptables is completely bypassed in the standard Linux kernel. Therefore, you can use a bridge or iptables firewall, but you cannot use this function at the same time.

Solution

Fortunately, there is a project dedicated to implementing a bridge that supports iptables, so any data packets that pass through the bridge can be submitted to iptables rules for filtering. The result is that the firewall can be completely transparent to the network and does not require special routing functions. As far as the Internet is concerned, firewalls do not exist, except that specific connections are blocked. The bridge software is a kernel patch that supports the existing bridge code to work together with iptables. The developer has created an RPM kernel that supports the bridge firewall. But it is inconvenient because there are too few documents, so this article is to help those who want to implement a bridge-based firewall.

Bridging and routing-how does one work?

To put it simply, Linux bridge implementation is generally implemented on devices with one or more network interfaces. By detecting the activity of multiple network segments, the Bridge Code learns which MAC address can be reached from which interface, and uses this information to determine whether to relay a data packet to another network segment. No IP address is assigned to the bridge interface, but the whole bridge is configured as a single interface of the firewall.

In the case of bridging, the destination address is the data of the bridge device that needs to pass through the INPUT rule chain in the filter table and the PREROUTING rule chain in the mangle table; data sent from the bridge device must go through the OUTPUT rule chain of the filter table and the PREROUTING rule chain of the mangle table; the data of the stream bridge device must go through the PREROUTING rule chain in the mangle table, the FORWARD rule chain in the filter table, and the POSTROUTING rule chain in the mangle table.

Network Topology

The static IP address range I allocated is xxx. xxx. xxx.48-63, that is, the subnet mask is 255.255.255.240. I decided to divide the entire IP address into two CIDR blocks: xx. xxx. xxx.48-56 is used outside the firewall, which includes the IP address of the ADSL Router itself (xxx. xxx. xxx.49); xxx. xxx. xxx.57-62 is used after the firewall. Note that this is not a real subnet division, because they are connected by a bridge rather than a router.

Firewall Rules

The firewall rules are defined as follows:

#! /Bin/sh
#
# Rc. firewall-Initial simple ip Firewall test script for 2.4.x
#
# Author: David Whitmarsh
# (C) 2001,200 2 Sparkle Computer Co ltd.
# Based on rc. firewall by Oskar Andreasson
# Parts (c) of BoingWorld.com, use at your own risk,
# Do whatever you please
# It as long as you don't distribute this without due credits
# BoingWorld.com and Sparkle Computer Co Ltd
#

###########
# Configuration options, these will speed you up getting this script
# Work with your own setup.

#
# Your LAN's IP range and localhost IP./24 means to only use the first 24
# Bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# BR_IP is used to access the firewall accross the network
# For maxium security don't set one up-but then you must do
# Everything directly on the firewall.

BR_IP = "xxx. xxx. xxx.57"
BR_IFACE = br0

LAN_BCAST_ADDRESS = "xxx. xxx. xxx.63"
INTERNAL_ADDRESS_RANGE = "xxx. xxx. xxx.56/29"

INET_IFACE = "eth1"
LAN_IFACE = "eth0"

LO_IFACE = "lo"
LO_IP = "127.0.0.1"

IPTABLES = "/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/Sbin/depmod-

#
# Adds some iptables targets like LOG, REJECT
#
/Sbin/modprobe ipt_LOG
/Sbin/modprobe ipt_REJECT

#
# Support for connection tracking of FTP and IRC.
#
/Sbin/modprobe ip_conntrack_ftp
/Sbin/modprobe ip_conntrack_irc

#
# Take down the interfaces before setting up the bridge
#

Ifdown $ INET_IFACE
Ifdown $ LAN_IFACE
Ifconfig $ INET_IFACE 0.0.0.0
Ifconfig $ LAN_IFACE 0.0.0.0

# Clean up for a restart

$ IPTABLES-F
$ IPTABLES-X
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#

$ IPTABLES-P INPUT DROP
$ IPTABLES-P OUTPUT ACCEPT
$ IPTABLES-P FORWARD DROP

# Our interfaces don't have IP addresses so we have to start with the mangle
# PREROUTING table

$ IPTABLES-t mangle-P PREROUTING DROP

# Now we are pretty secure, let's start the bridge
# This will create a new interface

Brctl addbr $ BR_IFACE

# And add the interfaces to it
Brctl addif $ BR_IFACE $ INET_IFACE
Brctl addif $ BR_IFACE $ LAN_IFACE

# Make us visible to the network again (optional)
If ["$ BR_IP "! = ""]; Then
Ifconfig $ BR_IFACE $ BR_IP
Else
# Otherwise we must at least bring the interface up for the bridge to work.
Ifconfig $ BR_IFACE up
Fi

# Block obvious spoofs

$ IPTABLES-t mangle-a prerouting-s 192.168.0.0/16-j DROP
$ IPTABLES-t mangle-a prerouting-s 10.0.0.0/8-j DROP
$ IPTABLES-t mangle-a prerouting-s 172.16.0.0/12-j DROP

# Accept internal packets on the internal I/f
$ IPTABLES-t mangle-a prerouting-I $ LAN_IFACE-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT

# Accept external packets on the external I/f

$ IPTABLES-t mangle-a prerouting-I $ INET_IFACE! -S $ INTERNAL_ADDRESS_RANGE-j ACCEPT

#
# Accept the packets we actually want to forward
#

$ IPTABLES-a forward-p ALL-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT
$ IPTABLES-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT
$ IPTABLES-a forward-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level 7 -- log-prefix "ert forward packet died :"

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$ IPTABLES-N icmp_packets
#
# ICMP rules
#

$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 0-j ACCEPT # echo reply
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 3-j ACCEPT # dest unreachable
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 5-j ACCEPT # redirect
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 11-j ACCEPT # time exceeded
$ IPTABLES-a forward-p ICMP-j icmp_packets

#
# UDP ports
#
$ IPTABLES-N udpincoming_packets

$ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 53-j ACCEPT # DNS
$ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 123-j ACCEPT # ntp
# $ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 2074-j ACCEPT # speakfreely
# $ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 4000-j ACCEPT # icq

$ IPTABLES-a forward-p UDP-j udpincoming_packets

#

$ IPTABLES-N tcp_packets

#
# The allowed chain for TCP connections
#

$ IPTABLES-N allowed
$ IPTABLES-A allowed-p TCP -- syn-j ACCEPT
$ IPTABLES-A allowed-p TCP-m state -- state ESTABLISHED, RELATED-j ACCEPT
$ IPTABLES-A allowed-p TCP-j DROP

# TCP rules
#

#
# Bad TCP packets we don't want
#

$ IPTABLES-A tcp_packets-p tcp! -- Syn-m state -- state NEW-j LOG -- log-prefix "New not syn :"
$ IPTABLES-A tcp_packets-p tcp! -- Syn-m state -- state NEW-j DROP

$ IPTABLES-A tcp_packets-p TCP-s 0/0-d springfield. sparkle-cc.co.uk -- dport 80-j allowed # smtp
$ IPTABLES-A tcp_packets-p TCP-s 0/0-d lisa. sparkle-cc.co.uk -- dport 6346-j allowed # gnutella
$ IPTABLES-A tcp_packets-p TCP-s 0/0-d springfield. sparkle-cc.co.uk -- dport 25-j allowed # smtp

$ IPTABLES-a forward-p TCP-j tcp_packets

#
# Input to the firewall itself. Leave these out if you don't want the firewall
# To be visible on the network at all.
# Note that the PREROUTING restrictions abve mean that only packets form inside
# The firewall can fulfill the source condition. So the firewall machine shocould not be
# Visible to the internet.
#

$ IPTABLES-a input-p ALL-I $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ LAN_BCAST_ADDRESS-j ACCEPT
$ IPTABLES-a input-p ALL-I $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ BR_IP-j ACCEPT

# But you * will * need this

$ IPTABLES-a input-p ALL-I $ LO_IFACE-d $ LO_IP-j ACCEPT

$ IPTABLES-a input-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level 7 -- log-prefix "ept INPUT packet died :"

#
# OUTPUT chain
#

$ IPTABLES-a output-p tcp! -- Syn-m state -- state NEW-j LOG -- log-prefix "New not syn :"
$ IPTABLES-a output-p tcp! -- Syn-m state -- state NEW-j DROP

$ IPTABLES-a output-p ALL-s $ LO_IP-j ACCEPT
$ IPTABLES-a output-p ALL-s $ BR_IP-j ACCEPT
$ IPTABLES-a output-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level 7 -- log-prefix "ept OUTPUT packet died :"

The sample firewall script is similar to the traditional firewall settings. It is excerpted from Oskar Andreasson's iptables tutorial

The basic firewall policy is:

1. block packets with impossible IP addresses.
2. Allow connections from all firewalls to external connections.
3. Allow reverse data from internal to external connections to the internal network.
4. allow external connections to specific ports of a specific host.

Variable definition

To ensure clarity and maintainability, it is a good idea to define some interface names and IP addresses as variables. The following data is used in the example:

BR_IP = "xxx. xxx. xxx.57"
BR_IFACE = br0

LAN_BCAST_ADDRESS = "xxx. xxx. xxx.63"
INTERNAL_ADDRESS_RANGE = "xxx. xxx. xxx.56/29"

INET_IFACE = "eth1"
LAN_IFACE = "eth0"

LO_IFACE = "lo"
LO_IP = "127.0.0.1"

"Xxx. xxx. xxx" indicates the first three fields of the network IP address. $ INTERNAL_ADDRESS_RANGE indicates the IP address range of the internal network.

Set a bridge device

To set up a bridge, we need to do the following. First, we need to disable the network interface and remove its IP settings:

Ifdown $ INET_IFACE
Ifdown $ LAN_IFACE
Ifconfig $ INET_IFACE 0.0.0.0
Ifconfig $ LAN_IFACE 0.0.0.0

If you only execute these commands through telnet or ssh sessions, you should go to the console of the host to perform operations. Next, create a bridge device and specify the Ethernet interface for it:

Brctl addbr $ BR_IFACE
Brctl addif $ BR_IFACE $ INET_IFACE
Brctl addif $ BR_IFACE $ LAN_IFACE

Now we can start the bridge device as an internal interface:

Ifconfig $ BR_IFACE $ BR_IP

Block disguise

We can block forged data packets in the mangel PREROUTING rule chain. Through blocking, we can capture inbound and forwarded packets at the same time. We use mangle PREROUTING instead of nat PREROUTING because only the first packet in the NAT table is checked.

The following content ensures that only data packets with internal address of the riverbank score are accepted by the Internal interface:

$ IPTABLES-t mangle-a prerouting-I $ LAN_IFACE-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT

The following command prevents the bridge external interface from receiving packets with an internal address:

$ IPTABLES-t mangle-a prerouting-I $ INET_IFACE! -S $ INTERNAL_ADDRESS_RANGE-j ACCEPT

Access firewall from internal network

Maybe you want your firewall to be completely transparent to the network, or you may want to allow direct connection from the internal network to the bridge firewall for convenience, the following command only allows connections from the internal network to the firewall. Of course, according to your actual situation, the requirements for whether to allow access to the bridge firewall are different:

$ IPTABLES-a input-p ALL-I $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ LAN_BCAST_ADDRESS-j ACCEPT
$ IPTABLES-a input-p ALL-I $ BR_IFACE-s $ INTERNAL_ADDRESS_RANGE-d $ BR_IP-j ACCEPT

We have blocked packets with IP addresses that do not match the receiving interface.