Building an Inline Transparent Bridging Firewall with ebtables (Stealth Firewalls)

Previous page
Table of content
Next page


As of the 2.6 Linux kernel, the ability to perform advanced bridge mode filtering using ebtables (http://ebtables.sourceforge.net) is supported by default. Patching the kernel or iptables is not required as of the 2.6 Linux kernel. 2.4.x Linux kernel users will first need to patch their kernel from the ebtables website using the ebtables-brnf-5 patch. In addition, the user-space ebtables tool will be required on both kernels to manipulate the filtering rules.

In the following documentation we will assume that the system, minimoose, has two ethernet interfaces, eth0 and eth1. This system will be inserted between two networks, 10.10.10.0/8 and 10.10.11.0/8, in such a way as the hosts on either side of these networks are not aware that a firewall has been put in place. This is outlined in Figure 11.3.

Figure 11.3. Inline transparent bridging firewall.


  1. Configuring 2.4.x Kernels for ebtables. The latest version of this kernel patch is available from the ebtables website, at http://ebtables.sourceforge.net/. Download and patch your kernel with the appropriate version for your kernel release (example: ebtables-brnf-5_versus_2.4.25.diff.gz for Linux 2.4.25 kernels).

  2. Configuring the kernelcode maturity level options:

     [*] Prompt for development and/or incomplete code/drivers

    Networking Options

     IP: Netfilter Configuration   (In addition to your regular options) MAC address match support (NEW)      <M>ARP tables support (NEW) ARP packet filtering (NEW)      <M>ARP payload mangling (NEW)   <M>802.1d Ethernet Bridging     <M>Bridge: ebtables (NEW)     <M>ebt: filter table support     <M>ebt: nat table support     <M>ebt: broute table support     <M>ebt: log support     <M>ebt: IP filter support     <M>ebt: ARP filter support     <M>ebt: among filter support     <M>ebt: limit filter support     <M>ebt: 802.1Q VLAN filter support     <M>ebt: 802.3 filter support     <M>ebt: packet type filter support     <M>ebt: STP filter support     <M>ebt: mark filter support     <M>ebt: arp reply target support     <M>ebt: snat target support     <M>ebt: dnat target support     <M>ebt: redirect target support     <M>ebt: mark target support

    Note

    The M flag means compile this option as a module. This assumes you have module support compiled into your kernel.


  3. Install the user space ebtables utility from http://sourceforge.net/project/showfiles.php?group_id=39571.

  4. Compile a 2.6 Kernel for ebtables. As ebtables support is natively included in the 2.6 Kernel, there is no need to patch it. Let's move on to configuration you will need to select the following options:

     Device Drivers   Networking Support     Networking Options --->       <M> 802.1d Ethernet Bridging [*] Network packet filtering (replaces ipchains) --->   [*]   Bridged IP/ARP packets filtering   Bridge: Netfilter Configuration --->     <M> Ethernet Bridge tables (ebtables) support       <M>   ebt: broute table support (NEW)       <M>   ebt: filter table support (NEW)       <M>   ebt: nat table support (NEW)       <M>   ebt: 802.3 filter support (NEW)       <M>   ebt: among filter support (NEW)       <M>   ebt: ARP filter support (NEW)       <M>   ebt: IP filter support (NEW)       <M>   ebt: limit match support (NEW)       <M>   ebt: mark filter support (NEW)       <M>   ebt: packet type filter support (NEW)       <M>   ebt: STP filter support (NEW)       <M>   ebt: 802.1Q VLAN filter support (NEW)       <M>   ebt: arp reply target support (NEW)       <M>   ebt: dnat target support (NEW)       <M>   ebt: mark target support (NEW)       <M>   ebt: redirect target support (NEW)       <M>   ebt: snat target support (NEW)       <M>   ebt: log support (NEW)

  5. Download and install the ebtables user space utility.

After your kernel has been built with ebtables support, you can move on to the next phase, which is to create the bridge interface on the kernel. There is an additional user space tool for this, which is included by most distributions by default, called brctl, which you can find in the bridge-utils rpm on rpm-based distributions (redhat, mandrake, suse, and so on). If you do not have brctl on your system, it is available at http://bridge.sourceforge.net.

In our example, we will assume that minimoose, our soon-to-be stealth firewall, has no IP addresses associated with it. This is a perfectly normal configuration for a stealth firewall, and provided you have physical console or serial console access, it is not difficult to maintain. You can, however, assign IP addresses to this firewall, provided you don't mind giving away its existence. If you're attempting to build a truly "stealth" firewall, you do not want this system to have any IP addresses assigned to where the systems on either side of the bridged networks can see the stealth firewall directly. That being saidon to creating our bridged interface...

A bridged network involves creating a third logical interface, which is a combination of the two (or more) bridged physical interfaces:

  1. Create the logical interface in the kernel.

     [root@minimoose root]# brctl addbr br0

  2. Add the left interface, eth0 which connects to the 10.10.10.0/24 network.

     [root@minimoose root]# brctl addif br0 eth0

  3. Add the right interface, eth1 which connects to the 10.10.11.0/24 network.

     [root@minimoose root]# brctl addif br0 eth1

  4. Activate the bridged interfaces by bringing up the two real interfaces.

     [root@minimoose root]# ifconfig eth0 0.0.0.0 up [root@minimoose root]# ifconfig eth1 0.0.0.0 up

At this point your bridge will be active, and hosts between the two networks will be none-the-wiser. In this example we're splicing the transparent firewall in between two switches. You could, however, just as easily put this system up in between a router and a switch or even between the switch and a single host. This poses all sorts of useful configurations, transparent proxy servers, forensics logging hosts, network diagnostics/monitoring, IDS platforms, and of course "stealth" firewalls.

This then brings us to filtering traffic. Outlined in the following section are a few basic recipes for Layer 2 firewalls (this list is by no means complete).

Filtering on MAC Address Bound to a Specific IP Address with ebtables

The first example describes a rule only allowing a specific IP address, 10.10.10.12, to pass through the firewall if it is bound to the MAC address, 00:11:22:33:44:55. This is useful in the case of wireless networks (although not foolproofMAC addresses can be spoofed, too!).

 $EBTABLES -A FORWARD -p IPv4 --ip-src 10.10.10.12 \         -s !  00:11:22:33:44:55 -j DROP

Filtering Out Specific Ports with ebtables

The following rule demonstrates a more powerful target in ebtables, the BROUTING policy. The following example shows the ebtables rule being used to only allow port 25 traffic (SMTP) to the host at 10.10.10.12.

 $EBTABLES -t broute -A BROUTING -p ipv4 \         --ip-dst 10.10.10.12 -ip-proto tcp \         -ip-dport 25  -j ACCEPT $EBTABLES -t broute -A BROUTING -p ipv4 \         --ip-proto tcp --ip-dport 25 -j DROP


    Previous page
    Table of content
    Next page
    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169
    BUY ON AMAZON
    Crystal Reports 9 on Oracle (Database Professionals)
    ERP and Data Warehousing in Organizations: Issues and Challenges
    Certified Ethical Hacker Exam Prep
    Introduction to 80x86 Assembly Language and Computer Architecture
    Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
    FileMaker 8 Functions and Scripts Desk Reference
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy