Implement a bridge firewall

Article title: Implement a Bridge-based firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: David Whitmarsh
Compile: ideal
　　
What are the differences between traditional firewalls and WebSocket firewalls? Usually a firewall works like a router: the internal system is set to regard the firewall as a gateway to the external network, in addition, the external router is set to regard the firewall as a gateway connecting to the internally protected network. A bridge is a device that connects one or more network segments and forwards data between different network segments. other devices in the network do not feel the existence of a bridge. In other words, a vro connects two networks and transmits data between them. a bridge is more like a network cable that connects two parts of a network. A bridge firewall works like a bridge without being discovered by devices at both ends, but it also has the function of filtering data packets through it.
　　
Why does it need to implement a Bridge-based firewall? There are generally the following reasons:
　　
* You can add a firewall in the network without modifying the parameters of any devices in the network.
* You may want to protect a part of the network but have no right to control the parameter information of the external route.
　　
Problems I encountered
　　
In my office, an ADSL instance is connected to the Demon Internet, and a subnet with 16 IP addresses is available. Due to the special reason of British ISP, the lines and routers are installed and owned by BT, so we have the right to configure external routers to specify who is the gateway of the internal network, in this way, I only have two options:
　　
* Connect each host directly to the ADSL router, and use iptables to set firewall rules for each host independently.
* Another option is to use the NAT firewall to drive internal network access to the Internet.
　　
The first method is unacceptable because it will greatly increase errors and system management overhead. The second method also has advantages and disadvantages. although most applications can be supported by NAT, there are also exceptions, such as video streams and VPN. A bridge firewall can solve these problems. The firewall can be deployed between the ADSL router and the internal network to protect the network, but the configuration does not need to be modified at the same time. The last obstacle is that iptables is completely bypassed in the standard Linux kernel. Therefore, you can use a bridge or iptables firewall, but you cannot use this function at the same time.
　　
Solution
　　
Fortunately, there is a project dedicated to implementing a bridge that supports iptables, so any data packets that pass through the bridge can be submitted to iptables rules for filtering. The result is that the firewall can be completely transparent to the network and does not require special routing functions. As far as the Internet is concerned, firewalls do not exist, except that specific connections are blocked. The bridge software is a kernel patch that supports the existing bridge code to work together with iptables. The developer has created an RPM kernel that supports the bridge firewall. But it is inconvenient because there are too few documents, so this article is to help those who want to implement a Bridge-based firewall.
　　
Bridging and routing-how does one work?
　　
To put it simply, Linux Bridge implementation is generally implemented on devices with one or more network interfaces. by detecting the activity of multiple network segments, the bridge code learns which MAC address can be reached from which interface, and uses this information to determine whether to relay a data packet to another network segment. No IP address is assigned to the bridge interface, but the whole bridge is configured as a single interface of the firewall.
　　　
As you can see, in the case of bridging, the destination address is the data of the bridge device that needs to pass through the INPUT rule chain in the filter table and the PREROUTING rule chain in the mangle table; data sent from the bridge device must go through the OUTPUT rule chain of the filter table and the PREROUTING rule chain of the mangle table; the data of the stream bridge device must go through the PREROUTING rule chain in the mangle table, the FORWARD rule chain in the filter table, and the POSTROUTING rule chain in the mangle table.
　　
Network topology
　　
The static IP address range I allocated is xxx. xxx. xxx.48-63, that is, the subnet mask is 255.255.255.240. I decided to divide the entire IP address into two CIDR blocks: xx. xxx. xxx.48-56 is used outside the firewall, which includes the IP address of the ADSL router itself (xxx. xxx. xxx.49); xxx. xxx. xxx.57-62 is used after the firewall. Note that this is not a real subnet division, because they are connected by a bridge rather than a router.
　　
Firewall rules
　　
The firewall rules are defined as follows:
　　
#! /Bin/sh
#
# Rc. firewall-Initial simple ip Firewall test script for 2.4.x
#
# Author: David Whitmarsh
# (C) 2001,200 2 Sparkle Computer Co ltd.
# Based on rc. firewall by Oskar Andreasson
# Parts (c) of BoingWorld.com, use at your own risk,
# Do whatever you please
# It as long as you don't distribute this without due credits
# BoingWorld.com and Sparkle Computer Co Ltd
#
　　
###########
# Configuration options, these will speed you up getting this script
# Work with your own setup.
　　
#
# Your LAN's IP range and localhost IP./24 means to only use the first 24
# Bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# BR_IP is used to access the firewall accross the network
# For maxium security don't set one up-but then you must do
# Everything directly on the firewall.
　　
BR_IP = "xxx. xxx. xxx.57"
BR_IFACE = br0
　　
LAN_BCAST_ADDRESS = "xxx. xxx. xxx.63"
INTERNAL_ADDRESS_RANGE = "xxx. xxx. xxx.56/29"
　　
INET_IFACE = "eth1"
LAN_IFACE = "eth0"
　　
LO_IFACE = "lo"
LO_IP = "127.0.0.1"
　　
IPTABLES = "/sbin/iptables"
　　
#########
# Load all required IPTables modules
#
　　
#
# Needed to initially load modules
#
/Sbin/depmod-
　　
#
# Adds some iptables targets like LOG, REJECT
#
/Sbin/modprobe ipt_LOG
/Sbin/modprobe ipt_REJECT
　　
#
# Support for connection tracking of FTP and IRC.
#
/Sbin/modprobe ip_conntrack_ftp
/Sbin/modprobe ip_conntrack_irc
　　
#
# Take down the interfaces before setting up the bridge
#
　　
Ifdown $ INET_IFACE
Ifdown $ LAN_IFACE
Ifconfig $ INET_IFACE 0.0.0.0
Ifconfig $ LAN_IFACE 0.0.0.0
　　
# Clean up for a restart
　　
$ IPTABLES-F
$ IPTABLES-X
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
　　
$ IPTABLES-P INPUT DROP
$ IPTABLES-P OUTPUT ACCEPT
$ IPTABLES-P FORWARD DROP
　　
# Our interfaces don't have IP addresses so we have to start with the mangle
# PREROUTING table
　　
$ IPTABLES-t mangle-P PREROUTING DROP
　　
# Now we are pretty secure, let's start the bridge
# This will create a new interface
　　
Brctl addbr $ BR_IFACE
　　
# And add the interfaces to it
Brctl addif $ BR_IFACE $ INET_IFACE
Brctl addif $ BR_IFACE $ LAN_IFACE
　　
# Make us visible to the network again (optional)
If ["$ BR_IP "! = ""]; Then
Ifconfig $ BR_IFACE $ BR_IP
Else
# Otherwise we must at least bring the interface up for the bridge to work.
Ifconfig $ BR_IFACE up
Fi
　　
# Block obvious spoofs
　　
$ IPTABLES-t mangle-a prerouting-s 192.168.0.0/16-j DROP
$ IPTABLES-t mangle-a prerouting-s 10.0.0.0/8-j DROP
$ IPTABLES-t mangle-a prerouting-s 172.16.0.0/12-j DROP
　　
# Accept internal packets on the internal I/f
$ IPTABLES-t mangle-a prerouting-I $ LAN_IFACE-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT
　　
# Accept external packets on the external I/f
　　
$ IPTABLES-t mangle-a prerouting-I $ INET_IFACE! -S $ INTERNAL_ADDRESS_RANGE-j ACCEPT
　　
#
# Accept the packets we actually want to forward
#
　　
$ IPTABLES-a forward-p ALL-s $ INTERNAL_ADDRESS_RANGE-j ACCEPT
$ IPTABLES-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT
$ IPTABLES-a forward-m limit -- limit 3/minute -- limit-burst 3-j LOG -- log-level 7 -- log-prefix "ert forward packet died :"
　　
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
　　
$ IPTABLES-N icmp_packets
#
# ICMP rules
#
　　
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 0-j ACCEPT # echo reply
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 3-j ACCEPT # dest unreachable
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 5-j ACCEPT # redirect
$ IPTABLES-A icmp_packets-p ICMP-s 0/0 -- icmp-type 11-j ACCEPT # time exceeded
$ IPTABLES-a forward-p ICMP-j icmp_packets
　　
#
# UDP ports
#
$ IPTABLES-N udpincoming_packets
　　
$ IPTABLES-A udpincoming_packets-p UDP-s 0/0 -- source-port 53-j ACCEPT # DNS
$ IPTABLES-A udpincoming_packets-p udp-s 0/0-