problems with bridging firewall

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

i'm trying to setup a bridging firewall very similar to the one described in the how-to posted here:

https://forums.gentoo.org/viewtopic.php?t=78039

the only difference being that instead of assigning an ip to br0, i've got a third physical ethernet interface (eth2) that has an ip address that i can ssh to for administration.

the bridge itself is working just fine. i have a machine behind it and traffic is flowing in both directions. the firewall part however, doesn't appear to be working correctly, and i'm not sure what i'm doing wrong.

i've executed the exact (as far as i can tell) series of iptables commands outlined in the how-to's "iptables.sh". i didn't include any extra statements for services other than ssh. from what i understand, that should have left me with a bridge that allows everything out, but only ssh in.

however, all traffic is still flowing both ways. i can still browse to the webserver sitting behind the bridge from machines that are on the other side. have i entered one of the rules incorrectly? it looks like nothing is making it past the first rule.

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

just to be thorough, i've removed the third ethernet card from the setup, and i'm now using the exact same setup as the how-to. same scripts and all. it still appears to be ignoring the iptables rules.

i've also tried the following, which i believe should block all traffic flowing across the bridge:

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

okay, one last try. any suggestions anyone could give me on this would be greatly appreciated.

at the suggestion of someone from a mailing list i subscribe to i tried using the following two rules to block all traffic:

UncleTom · Posted: Thu Apr 15, 2004 1:09 pm Post subject:

Have you compiled your kernel with bridging support?

From the how-to thread you mentioned earlier:

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

i enabled bridging, and i enabled iptables, but the kernel source i used was the stock gentoo-sources package for 2.4.25. since the options were present, it appeared to me that the patch had already been applied. if i emerge ebtables will that apply the patch you mention? if not, is there any chance you could get me pointed in the right direction to download it?

UncleTom · Posted: Thu Apr 15, 2004 3:58 pm Post subject:

I'm sorry, I have never done this myself, so I cannot help you much there. It's just something that's been sitting in my List of Extremely Cool Things To Try for quite some time and I happened upon your post because I'm interested in this myself.

Further reading on [url]bridge.sourceforge.net[/url] and [url]ebtables.sourceforge.net[/url] should clarify these issues, but it seems that 2.4.21 and up include the bridging code and do not need to be patched any more. So that particular idea of mine was useless.

Reading your post it just seemed to me that you don't really have an iptables problem, because your rules are simple enough and should work. The post by kmasaryk sounded to me like a good explanation of that (iptables not seeing the traffic because the kernel doesn't hand the traffic over to iptables).

If nobody else has any better ideas, I would suggest that you investigate further along these lines. Does your kernel configuration include everything that needs to be included and leaves out everything else? For example, I just read in the kernel menuconfig help screen on packet filtering:

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

the same reading on the bridge site also let me to believe i didn't need a patch.

here's what i've got enabled in my kernel as far as networking options go:

and then under the IP: Netfilter Configuration:

i believe that's correct. i don't actually see the "Fast Switching" option referred to in the Packet Filtering documentation. any chance somebody who has this working could post their setup?

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

alright, i've got it working now. i emerged the development sources (2.6.6-rc1) and built a new kernel with all of the bridging, iptables, ebtables stuff enabled. so, there may in fact be a patch of some sort required, even if you're using a kernel newer than 2.4.21.

the rules that appear in the how-to still don't appear to work for me. i can add two rules now that block all traffic:

UncleTom · Posted: Fri Apr 16, 2004 7:20 am Post subject:

Glad to hear you got it working now.

Have you tried to specify the rules that don't work with iptables using ebtables?

jwalcik · n00b Joined: 22 Sep 2003 Posts: 27 Location: austin, tx

i can write ebtables rules against the eth0 and eth1 interfaces, very similar to what you've suggested (except using DROP, as ebtables doesn't have a REJECT target), however i'm not sure it will do exactly what i'm ultimately trying to accomplish.

basically, i want to use this bridging firewall to help protect the segment of our department's LAN that my servers are on. i need to be able to filter by port (or more ideally by protocol), which iptables appears to support, but ebtables doesn't necessarily. the protocols it's talking about aren't like "ssh" or "http", they're, um... i'll say "ethernet protocols" (they're referred to as EtherTypes in the document linked below), because i don't know the correct term. you can see the list here: http://www.iana.org/assignments/ethernet-numbers

i think i'll probably be able to sort something out with iptables by filtering based on destination address as opposed to interface, however being able to set a few default rules across the bridge by interface, and fine tune by destination address would be ideal.