Re: bridging with iptables (was no subject)

Re: bridging with iptables (was no subject)

[riffraff]

---------- Original Message ----------------------------------
From: Antony Stone <Antony@Soft-Solutions.co.uk>
Date: Fri, 28 Jun 2002 23:29:48 +0100

>
>In which case.... can anyone here give some advice on combining netfilter 
>with a bridge (which, as Patrick kindly pointed out) doesn't have an IP 
>address on *either* (any?) of its interfaces ?
>
>ie does the standard Linux routing system, and the various netfilter hooks, 
>still work sensibly enough to be able to put netfilter rules onto a bridge ?
>
Yes, look at the bridge-netfilter project:
http://bridge.sourceforge.net/

I use it at work (in my lab at NASA).  You can have an ip address assigned to the bridge, though.  It is just assigned to the bridge interface, and not the individual interfaces that make up the bridge.  Meaning, if you, say, ssh to the ip address of the bridge, it will answer on any interface, not just a specific ethernet card.  You don't have to have an ip address assigned, however.  I filter out all accesses to the bridge from the outside (using netfilter), and only allow ssh from the inside.

>Or is netfilter based so much around routing concepts and interfaces with 
>addresses on them that it doesn't really work properly ?
>
>
>I'm sure I'll find a use for a bridge one day, so it'd be good to know 
>whether I can put netfilter on it when I do.
>
> 
Our main use is wanting to put a firewall in our network (upgrading from Drawbridge, which really wasn't that flexible), and we don't control the router (that is controlled by some other agency on site).  We didn't want to subnet our network (losing addresses, in addition to re-engineering everything), so we put the bridge firewall up in between the router and the main switch.  It is completely transparent to the users.

>
>Antony.
>

-lsd

Re: bridging with iptables (was no subject)

[Antony Stone]

On Friday 28 June 2002 11:39 pm, riffraff wrote:

> From: Antony Stone <Antony@Soft-Solutions.co.uk>
> Date: Fri, 28 Jun 2002 23:29:48 +0100
>
> >In which case.... can anyone here give some advice on combining netfilter
> >with a bridge (which, as Patrick kindly pointed out) doesn't have an IP
> >address on *either* (any?) of its interfaces ?
> >
> >ie does the standard Linux routing system, and the various netfilter
> > hooks, still work sensibly enough to be able to put netfilter rules onto
> > a bridge ?
>
> Yes, look at the bridge-netfilter project:
> http://bridge.sourceforge.net/

Hmmm.   Good.

I know this is getting a bit off-topic now, but does anyone know if you can 
combine bridging with IPsec ?   ie have two bits of the same network address 
range bridged across a VPN link ?

I've only ever set up IPsec links with a routing table pointing to the 
'other' network across the VPN link...


 

Antony.

Re: bridging with iptables (was no subject)

[Martin Josefsson]

On Sat, 2002-06-29 at 00:53, Antony Stone wrote:

> > Yes, look at the bridge-netfilter project:
> > http://bridge.sourceforge.net/
> 
> Hmmm.   Good.
> 
> I know this is getting a bit off-topic now, but does anyone know if you can 
> combine bridging with IPsec ?   ie have two bits of the same network address 
> range bridged across a VPN link ?
> 
> I've only ever set up IPsec links with a routing table pointing to the 
> 'other' network across the VPN link...

Use bridge + CIPE for that.

I've never used it but I've heard that it works fine, it's not IPsec but
another encrypted VPN.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.

RE: bridging with iptables (was no subject)

[Joe Patterson]

or, (note that I have not actually tried this, but I think that it would
*probably* work) use a gre tunnel over ipsec, and then add the gre tunnel to
the bridge group.  Actually, I have done this, but on cisco's instead of on
linux boxes (and when you put the commands into the cisco, it lets you know
in no uncertain terms that you are entering into unsupported territory)

and the really cool thing about this is, not only can you do wierd routing
and filtering, but you can get the advantages of ipsec encryption and
authentication for unroutable non-ip protocols.

but you're right, this is getting really off-topic now....  But, to bring it
somewhat back onto topic...

Does anyone know how netfilter deals with non-ip protocols?  If you've got
your linux box set up as, for example, an ipx router, and you've got
iptables loaded with default drop rules in your forward chain, do the ipx
packets get through?  My suspicion is that they do, but I'm not sure.  My
suspicion is that netfilter only gets involved when a packet is of type
IP...  But the fact that netfilter can be hooked into a bridging stack makes
me wonder...

-Joe

> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of Martin Josefsson
> Sent: Friday, June 28, 2002 7:50 PM
> To: Antony Stone
> Cc: Netfilter
> Subject: Re: bridging with iptables (was no subject)
>
>
> On Sat, 2002-06-29 at 00:53, Antony Stone wrote:
>
> > > Yes, look at the bridge-netfilter project:
> > > http://bridge.sourceforge.net/
> >
> > Hmmm.   Good.
> >
> > I know this is getting a bit off-topic now, but does anyone
> know if you can
> > combine bridging with IPsec ?   ie have two bits of the same
> network address
> > range bridged across a VPN link ?
> >
> > I've only ever set up IPsec links with a routing table pointing to the
> > 'other' network across the VPN link...
>
> Use bridge + CIPE for that.
>
> I've never used it but I've heard that it works fine, it's not IPsec but
> another encrypted VPN.
>
> --
> /Martin
>
> Never argue with an idiot. They drag you down to their level, then beat
> you with experience.
>
>
>

Re: bridging with iptables (was no subject)

[Patrick Schaaf]

Hi Joe,

> Does anyone know how netfilter deals with non-ip protocols?

Yes. It doesn't deal with them at all, as delivered "out of the box".

Here's a dump of what I know about the situation:

- netfilter is a set of hooks placed in stratetic places in the L3 networking
  stack. Right now there are hooks for IPv4, IPv6, ARP, and I think there's
  also something for DecNET, which I don't now nothing about.
- the hooks are all _inside_ the L3 stack.
- iptables is a user of the hooks put into the IPv4 stack.
- ip6tables is a user of the hooks put into the IPv6 stack.
- arptables is a user of the hooks put into the ARP stack.
- there is a patch to place netfilter hooks into the bridge code,
  which _may_ be capable of filtering by ethernet protocol type.
  I have not used it or looked closely. See http://bridge.sourceforge.net/

I don't think that there is any code right now which is able to filter
on IPX or AppleTalk header fields.

best regards
  Patrick

Re: bridging with iptables (was no subject)

[Martin Josefsson]

On Sun, 2002-06-30 at 09:13, Patrick Schaaf wrote:
> Hi Joe,
> 
> > Does anyone know how netfilter deals with non-ip protocols?
> 
> Yes. It doesn't deal with them at all, as delivered "out of the box".
> 
> Here's a dump of what I know about the situation:
> 
> - netfilter is a set of hooks placed in stratetic places in the L3 networking
>   stack. Right now there are hooks for IPv4, IPv6, ARP, and I think there's
>   also something for DecNET, which I don't now nothing about.
> - the hooks are all _inside_ the L3 stack.
> - iptables is a user of the hooks put into the IPv4 stack.
> - ip6tables is a user of the hooks put into the IPv6 stack.
> - arptables is a user of the hooks put into the ARP stack.
> - there is a patch to place netfilter hooks into the bridge code,
>   which _may_ be capable of filtering by ethernet protocol type.
>   I have not used it or looked closely. See http://bridge.sourceforge.net/
> 
> I don't think that there is any code right now which is able to filter
> on IPX or AppleTalk header fields.

http://users.pandora.be/bart.de.schuymer/ebtables/

Description: ethernet bridge tables

this is another user of the netfilter hooks in the bridge code.
And ebtables can filter on ethernet protocols and some simple ipv4
filtering aswell.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat
you with experience.

Re: (no subject)

[Antony Stone]

On Thursday 28 June 2001 8:43 pm, Forrest Beck wrote:

> Your right.
>
> I guess that I was learning NAT and just didn't think to not use it.
>
> What my overall goal is:
>
> Eth1=Wireless AP's
> Eth0=LAN
>
> I have the eth0 set to 192.168.252.240 and eth1 set to 192.168.252.241.

Hmmm.   I thought a bridge was supposed to have the same address on both 
interfaces.   Still, I've never set one up myself, so maybe there's more than 
one way to do it.

Just so long as you don't have those addresses on a router.....

 

Antony.

Re: (no subject)

[Patrick Schaaf]

Hi Antony,

> Hmmm.   I thought a bridge was supposed to have the same address on both 
> interfaces.   Still, I've never set one up myself, so maybe there's more than 
> one way to do it.

A bridge, by its nature, has no IP addresses at all. The original poster
is asking about a pure router.

And you are right on spot with your observation about the ability of a
malicious user to fake her MAC address at will. And one nice thing about
most wireless networks is that I can just listen to the air for some time
to learn what MAC/IP combination it is that I should fake after it became
silent...

I have heard that there are security measures implementable on the
wireless side. There is no chance to do it on a router outside the
wireless cloud.

best regards
  Patrick

Re: (no subject)

[Antony Stone]

On Friday 28 June 2002 9:02 pm, Patrick Schaaf wrote:

> Hi Antony,
>
> > Hmmm.   I thought a bridge was supposed to have the same address on both
> > interfaces.   Still, I've never set one up myself, so maybe there's more
> > than one way to do it.
>
> A bridge, by its nature, has no IP addresses at all. The original poster
> is asking about a pure router.

Ugh.   In that case I recommend using IPs from two *different* network ranges 
on the two sides of the machine !

> And you are right on spot with your observation about the ability of a
> malicious user to fake her MAC address at will. And one nice thing about
> most wireless networks is that I can just listen to the air for some time
> to learn what MAC/IP combination it is that I should fake after it became
> silent...

Indeed.   There may be anti-sniffing measures available for wired networks, 
but I know of nothing which can detect / defeat sniffing on wireless.

 

Antony.

Re: bridging with iptables (was no subject)

[Jack Bowling]

Nothing to add. Just changed the subject line to something useful for the archives and search engines.

jb


** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Fri, 28 Jun 2002 21:00:46 +0100


> On Friday 28 June 2002 9:02 pm, Patrick Schaaf wrote:
> 
> > Hi Antony,
> >
> > > Hmmm.   I thought a bridge was supposed to have the same address on both
> > > interfaces.   Still, I've never set one up myself, so maybe there's more
> > > than one way to do it.
> >
> > A bridge, by its nature, has no IP addresses at all. The original poster
> > is asking about a pure router.
> 
> Ugh.   In that case I recommend using IPs from two *different* network ranges 
> on the two sides of the machine !
> 
> > And you are right on spot with your observation about the ability of a
> > malicious user to fake her MAC address at will. And one nice thing about
> > most wireless networks is that I can just listen to the air for some time
> > to learn what MAC/IP combination it is that I should fake after it became
> > silent...
> 
> Indeed.   There may be anti-sniffing measures available for wired networks, 
> but I know of nothing which can detect / defeat sniffing on wireless.
> 
>  
> 
> Antony.

Re: bridging with iptables (was no subject)

[Antony Stone]

On Friday 28 June 2002 11:22 pm, Jack Bowling wrote:

> Nothing to add. Just changed the subject line to something useful for the
> archives and search engines.

Good idea.

In which case.... can anyone here give some advice on combining netfilter 
with a bridge (which, as Patrick kindly pointed out) doesn't have an IP 
address on *either* (any?) of its interfaces ?

ie does the standard Linux routing system, and the various netfilter hooks, 
still work sensibly enough to be able to put netfilter rules onto a bridge ?

Or is netfilter based so much around routing concepts and interfaces with 
addresses on them that it doesn't really work properly ?


I'm sure I'll find a use for a bridge one day, so it'd be good to know 
whether I can put netfilter on it when I do.

 

Antony.

 
> > On Friday 28 June 2002 9:02 pm, Patrick Schaaf wrote:
> > > Hi Antony,
> > >
> > > > Hmmm.   I thought a bridge was supposed to have the same address on
> > > > both interfaces.   Still, I've never set one up myself, so maybe
> > > > there's more than one way to do it.
> > >
> > > A bridge, by its nature, has no IP addresses at all. The original
> > > poster is asking about a pure router.
> >
> > Ugh.   In that case I recommend using IPs from two *different* network
> > ranges on the two sides of the machine !
> >
> > > And you are right on spot with your observation about the ability of a
> > > malicious user to fake her MAC address at will. And one nice thing
> > > about most wireless networks is that I can just listen to the air for
> > > some time to learn what MAC/IP combination it is that I should fake
> > > after it became silent...
> >
> > Indeed.   There may be anti-sniffing measures available for wired
> > networks, but I know of nothing which can detect / defeat sniffing on
> > wireless.
> >
> >
> >
> > Antony.