[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual
Appendix D - Setting up a bridge firewall


This information was contributed by Francois Bayart in order to help users setup a linux bridge/fireall with the 2.4.x kernel and iptables. The only features need are the bridge firewall patch, available at sourceforge download page.

For example, if you are using a 2.4.18 kernel you need to download the patch and apply it after downloading the kernel-source-2.4.1 package and then apply the patch:

     Zipowz:/usr/src# apt-get install kernel-source-2.4.18
     Zipowz:/usr/src# cd kernel-source-2.4.18
     Zipowz:/usr/src/kernel-source-2.4.18# patch -p1 < ../bridge-nf-0.0.6-against-2.4.18.diff 
     patching file include/linux/netfilter.h
     patching file include/linux/netfilter_ipv4.h
     patching file include/linux/skbuff.h
     patching file net/bridge/br.c
     patching file net/bridge/br_forward.c
     patching file net/bridge/br_input.c
     patching file net/bridge/br_netfilter.c
     patching file net/bridge/br_private.h
     patching file net/bridge/Makefile
     patching file net/Config.in
     patching file net/core/netfilter.c
     patching file net/core/skbuff.c
     patching file net/ipv4/ip_output.c
     patching file net/ipv4/netfilter/ip_tables.c
     patching file net/ipv4/netfilter/ipt_LOG.c

Now, run the configuration for the kernel (with your favorite method: make menuconfig, make xconfig ... ). In the section Networking option enable this options:

     [*] Network packet filtering (replaces ipchains)
     [ ]   Network packet filtering debugging (NEW)
     <*> 802.1d Ethernet Bridging
     [*]   netfilter (firewalling) support (NEW)

Caution you must disable this if you want can to apply some firewalling rules else iptables doesn't work.

     [ ]   Network packet filtering debugging (NEW)

After you must add the correct options in the section IP: Netfilter Configuration. Then, compile and install the kernel. If you want to do it the Debian way install the kernel-package and run make-kpkg to create a new Debian package you can install on your server (or use it on other systems). One the new kernel is installed and compiled you need to install bridge-utils.

Now, you can examine two different configurations which show how configuration can be done once all this steps have been taken. Both configurations are shown with a network map and the commands neccesary to configure the bridge.


D.1 A bridge providing nat and firewall capabilities

The first one uses a bridge as a firewall with network address translation that protects a server and internal LAN clients.

     Internet ----- router ( 62.3.3.25 ) ----- bridge ( 62.3.3.26 gw 62.3.3.25 / 192.168.0.1 )
                                                 |
                                                 |
                                                 |---- WWW Server ( 62.3.3.27 gw 62.3.3.25 )
                                                 |
                                                 |
                                                LAN --- Zipowz ( 192.168.0.2 gw 192.168.0.1 )

This commands show how the bridge can be configured.

     # That create the interface br0
     /usr/sbin/brctl addbr br0
     
     # Add the ethernet interface to use with the bridge
     /usr/sbin/brctl addif br0 eth0
     /usr/sbin/brctl addif br0 eth1
     
     # Just up the interface ethernet
     /sbin/ifconfig eth0 0.0.0.0
     /sbin/ifconfig eth1 0.0.0.0
     
     # Configure the bridge ethernet
     # The bridge will be correct and invisible ( transparent firewall ).
     # It's hidden in a traceroute and you keep your real gateway on the 
     # other computers. Now if you want you can config a gateway on your 
     # bridge and choose it as your new gateway for the other computers.
     
     /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32
     
     # I have added this internal IP to create my NAT 
     ip addr add 192.168.0.1/24 dev br0
     /sbin/route add default gw 62.3.3.25

D.2 A bridge providing firewall capabilities

This system is setup as a transparent firewall for a LAN with a Public IP address space.

     Internet ----- router ( 62.3.3.25 ) ----- bridge ( 62.3.3.26 )
                                                 |
                                                 |
                                                 |---- WWW Server ( 62.3.3.28 gw 62.3.3.25 )
                                                 |
                                                 |
                                                 |---- Mail Server ( 62.3.3.27 gw 62.3.3.25 )

This commands show how the bridge can be configured.

     # That create the interface br0
     /usr/sbin/brctl addbr br0
     
     # Add the ethernet interface to use with the bridge
     /usr/sbin/brctl addif br0 eth0
     /usr/sbin/brctl addif br0 eth1
     
     # Just up the interface ethernet
     /sbin/ifconfig eth0 0.0.0.0
     /sbin/ifconfig eth1 0.0.0.0
     
     # Configure the bridge ethernet
     # The bridge will be correct and invisible ( transparent firewall ).
     # It's hidden in a traceroute and you keep your real gateway on the 
     # other computers. Now if you want you can config a gateway on your
     # bridge and choose it as your new gateway for the other computers.
     
     /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32

If you traceroute the Linux Mail Server you don't see the bridge, if you want to access to the bridge with ssh you must have an gateway or you must to connect to another server such as the "Mail Server" and then connect to the bridge through the internal network card.


D.3 Iptables basic rules

This is an example of the basic rules that could be used for any of these setups.

     iptables -F FORWARD
     iptables -P FORWARD DROP
     iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
     iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
     
     # Some funny rules but not in a classic Iptables sorry ...
     # Limit ICMP 
     # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT
     # Match string, a good simple method to block some VIRUS very Quickly
     # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"
     
     # Block all MySQL connection just to be sure
     iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP
     
     # Linux Mail Server Rules
     #
     
     # Allow FTP-DATA ( 20 ) , FTP ( 21 ) , SSH ( 22 ) 
     iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT
     
     # Allow the Mail Server to connect to the outside
     # Note: This *not* needed for the previous connections 
     # (remember: stateful filtering) and could be removed.
     iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT
     
     # WWW Server Rules
     #
     
     # Allow HTTP ( 80 ) connections with the WWW server
     iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT
     
     # Allow HTTPS ( 443 ) connections with the WWW server
     iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT
     
     # Allow the WWW server to go out
     # Note: This *not* needed for the previous connections 
     # (remember: stateful filtering) and could be removed.
     iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual

2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200
Javier Fernández-Sanguino Peña jfs@computer.org