Chapter 11. Layer 2Inline Filtering

Chapter 11. Layer 2/Inline Filtering

In addition to Layer 3 (IP), and Layer 4(TCP/UDP) filtering capabilities as described in preceding chapters, iptables/netfilter also has the capacity to filter traffic at Layer 2. This is an especially useful mechanism in environments where you are attempting to build an inline transparent firewall, in the case of an IDS you would like to make capable of responding to attacks, performing filtering in a bridging environment, or adding in MAC address filter rules when dealing with wireless networks.

Bridging, simply put, is a method of joining two or more separate Ethernet networks together. From the perspective of the users on either side of the bridge, they are on the same network. This is because bridging happens at Layer 2 of the OSI model, which is the layer before IP (Internet Protocol). Because of this, firewalling in Layer 2 is considered "transparent" because no IP addresses are involved.

A transparent firewall is basically implementing a firewall inside of a bridge. The advantage of this is that it is a low-impact network topology change. If you have ever attempted to make topology changes in a large bureaucratic business or government agency, we are sure you can relate to the pain these changes cause. A transparent firewall is by its nature invisiblethe fact that it's Linux-based means that it is low cost and can run on Legacy hardware. If you were ever looking for an ideal way to use Linux firewalls in a large enterprise, this is it. You can build them out of old gear you have lying around and deploy them throughout your network without having to change settings on other devices (routers, gateways, and so on). Best of all, your users will never even notice that they have been installed.

Figure 11.1 shows a 10.0.0.0/8 RFC1918 network running off of two separate switches. In this configuration, from the user's perspective on the 10.10.10.0/8 network and the 10.10.11.0/8 network, they are on the same network.