Bridging Firewall

Bridging Firewall

[Tim Roberts]

[-- Attachment #1: Type: text/plain, Size: 7304 bytes --]

Hi, I successfully configured (I think) a bridging firewall using Script provided in David Whitmarsh's how too at http://www.sparkle-cc.co.uk/firewall/firewall.html I have a few questions as I am trying VERY hard to never have to see a Windows XXAnything disc again.

1.) I do not see anything other than IPTables starting up and learning.......in /var/log/messages. I have unremarked kernal* to point to /var/log/messages. I think the only logging being done is if a DOS occurrs. Based on his script, how do I enable more or any logging that will show me a little or alot of something? :)

2.) I have 2 NIC's both public (which is why I choose to bridge) In this script, I enabled the option to allow remote access from my LAN. However I cannot even ping.....from inside the LAN ,the specified address in the script to the firewall.

3.) The firewall cannot ping outside the LAN (which I could care less) but Im getting messages when the script runs that the machine cannot lookup or resolve FQDN's specified to be blocked. 



Any help is greatly appreciated. Below is the script after I modified it.  I am using REDHat 8.0 with IPTables Bridg Util Patch.

Tim Roberts
techlists@dsslink.net
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: David Whitmarsh
# (c) 2001, 2002 Sparkle Computer Co ltd.
# based on rc.firewall by Oskar Andreasson <blueflux@koffein.net>
# parts (c) of BoingWorld.com, use at your own risk,
# do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com and Sparkle Computer Co Ltd
#

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#
# your LAN's IP range and localhost IP. /24 means to only use the first 24 
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# BR_IP is used to access the firewall accross the network
# For maxium security don't set one up - but then you must do
# everything directly on the firewall.

BR_IP=65.173.10.254
BR_IFACE=br0

LAN_BCAST_ADDRESS=65.173.13.255
INTERNAL_ADDRESS_RANGE=65.173.120.0/22

INET_IFACE="eth1"
LAN_IFACE="eth0"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT

#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

#
# Take down the interfaces before setting up the bridge
#

ifdown $INET_IFACE
ifdown $LAN_IFACE
ifconfig $INET_IFACE 0.0.0.0
ifconfig $LAN_IFACE 0.0.0.0

# Clean up for a restart

$IPTABLES -F 
$IPTABLES -X
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

# Our interfaces don't have IP addresses so we have to start with the mangle
# PREROUTING table

$IPTABLES -t mangle -P PREROUTING DROP

# Now we are pretty secure, let's start the bridge
# This will create a new interface

brctl addbr $BR_IFACE

# and add the interfaces to it
brctl addif $BR_IFACE $INET_IFACE
brctl addif $BR_IFACE $LAN_IFACE

# make us visible to the network again (optional)
if [ "$BR_IP" != "" ] ; then
    ifconfig $BR_IFACE $BR_IP
else
# otherwise we must at least bring the interface up for the bridge to work.
    ifconfig $BR_IFACE up
fi

# Block obvious spoofs

$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

# Accept internal packets on the internal i/f
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s $INTERNAL_ADDRESS_RANGE -j ACCEPT

# Accept external packets on the external i/f

$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s $INTERNAL_ADDRESS_RANGE -j ACCEPT

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT	# echo reply
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT	# dest unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT	# redirect
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT	# time exceeded
$IPTABLES -A FORWARD -p ICMP -j icmp_packets

#
# UDP ports
#
$IPTABLES -N udpincoming_packets

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT	# DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT	# ntp
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT	# speakfreely
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT	#icq

$IPTABLES -A FORWARD -p UDP -j udpincoming_packets

#

$IPTABLES -N tcp_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# TCP rules
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 80 -j allowed # smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d lisa.sparkle-cc.co.uk --dport 6346 -j allowed # gnutella
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 25 -j allowed # smtp

$IPTABLES -A FORWARD -p TCP -j tcp_packets

#
# Input to the firewall itself. Leave these out if you don't want the firewall
# to be visible on the network at all.
# Note that the PREROUTING restrictions above mean that only packets form inside
# the firewall can fulfill the source condition. So the firewall machine should not be
# visible to the internet.
#

$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $LAN_BCAST_ADDRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $BR_IP -j ACCEPT

# But you *will* need this

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT INPUT packet died: "

#
# OUTPUT chain
#

$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $BR_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT OUTPUT packet died: "

[-- Attachment #2: Type: text/html, Size: 8369 bytes --]

Re: Bridging Firewall

[Joel Newkirk]

On Wednesday 05 February 2003 05:01 pm, Tim Roberts wrote:
> Hi, I successfully configured (I think) a bridging firewall using
> Script provided in David Whitmarsh's how too at
> http://www.sparkle-cc.co.uk/firewall/firewall.html I have a few
> questions as I am trying VERY hard to never have to see a Windows
> XXAnything disc again.
>
> 1.) I do not see anything other than IPTables starting up and
> learning.......in /var/log/messages. I have unremarked kernal* to
> point to /var/log/messages. I think the only logging being done is if
> a DOS occurrs. Based on his script, how do I enable more or any
> logging that will show me a little or alot of something? :)

If you want to write something to the log during script execution, just 
use echo right in the script.  Very handy for 'breakpoint' style 
debugging of the script.  I'd suggest adding a prefix like "IPT:" to the 
echoed string, to make it easily greppable.  Otherwise, use the "-j LOG" 
target to write log entries when matching packets hit the LOGging rule.  
(the same suggestion applies here, using "--log-prefix" parameter)

> 2.) I have 2 NIC's both public (which is why I choose to bridge) In
> this script, I enabled the option to allow remote access from my LAN.
> However I cannot even ping.....from inside the LAN ,the specified
> address in the script to the firewall.

I've never worked hands-on with bridging, so I don't know if this is an 
effect of the set-up or not.  Are you sure the interface is up with that 
IP?

> 3.) The firewall cannot ping outside the LAN (which I could care less)
> but Im getting messages when the script runs that the machine cannot
> lookup or resolve FQDN's specified to be blocked.

Try inserting "dig {FQDN}" in the script, it should output its results to 
the logfile as well, and you can look to see if DNS is working correctly 
at that point in the process...  Generally it is much quicker, and 
technically safer, to specify IPs instead of FQDNs anyway.

I've commented on a few (fragmented out-of-context) portions of the 
script below...


> # Our interfaces don't have IP addresses so we have to start with the
> mangle # PREROUTING table

???  I realize this is from the original script, but still: ???

> $IPTABLES -t mangle -P PREROUTING DROP

You should never have anything but ACCEPT policy for any mangle table 
chains, nor for any nat table chains.  Filter in the filter table.

> # Now we are pretty secure, let's start the bridge
> # This will create a new interface

Simply setting DROP policy in INPUT, OUTPUT, and FORWARD chains is quite 
secure.  So long as there are no rules in any of those chains, the ONLY 
thing that will ever see a packet is netfilter itself.

> # Block obvious spoofs
>
> $IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
> $IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
> $IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

These should be done in the FORWARD chain of the filter table, and 
possibly in the INPUT chain of the filter table, NOT in any mangle table 
chains.

> # Accept internal packets on the internal i/f
> $IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s
> $INTERNAL_ADDRESS_RANGE -j ACCEPT

Again here. 

> $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s
> $INTERNAL_ADDRESS_RANGE -j ACCEPT

Repeat after me:  "FILTER in the FILTER table.  MANGLE in the MANGLE 
table.  NAT in the NAT table."  :^)  I don't care what Mr Whitmarsh's 
script and tutorial state, this is NOT what the mangle table is for, and 
is just generally a bad idea.  For what you are doing in this setup, you 
don't even NEED the mangle table, or the nat table.

> $IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

A good start, although some situations warrant tighter control on what 
the local clients are allowed to do.

> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
> --log-level 7 --log-prefix "IPT FORWARD packet died: "

This doesn't make much sense.  All this does is log ANY packet  (well, 
actually only 3/minute maximum) that didn't come from 
INTERNAL_ADDRESS_RANGE and isn't part of or related to an ESTABLISHED 
connection, and refer to it as having 'died'.  They haven't necessarily 
'died', especially since there are more FORWARD rules below this point.

> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j 
ACCEPT        # echo reply
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j 
ACCEPT        # dest unreachable
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j 
ACCEPT        # redirect
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j 
ACCEPT       # time exceeded

> $IPTABLES -A FORWARD -p ICMP -j icmp_packets

These should all be caught by the "ESTABLISHED,RELATED" state rule above, 
since they are all 'response' type communications.

> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j 
ACCEPT       # DNS
> $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j 
ACCEPT      # ntp

> $IPTABLES -A FORWARD -p UDP -j udpincoming_packets

Same here.  Since you are specifying source-port of 53 and 123, then 
these should only match replies coming back, which would already have 
matched "ESTABLISHED,RELATED".  (However, someone could try to connect 
to ANY UDP port they want, and so long as the source-port is one of 
these, your firewall would allow the connection to be established!)

> $IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk
> --dport 80 -j allowed # smtp 

If springfield.sparkle-cc.co.uk has a static IP, why not just use it 
here?  That would circumvent your DNS lookup difficulties... For better 
readability, assign "SPRINGFIELD=w.x.y.z" at the top, and use 
$SPRINGFIELD here.  (Nitpicking, but this is HTTP, not SMTP: of course, 
anyone who wouldn't realize this probably has no business digging 
through your firewall script anyway... :^)

> $IPTABLES -A FORWARD -p TCP -j tcp_packets

j

Bridging Firewall

[Andrew J. Meader]

Hi All,

I am trying to set up a bridging firewall with Red Hat 8.0. I can not 
get packets to flow from nic to nic.

Topology:
       
             br0
                |
                |
        ------
        |                |
    eth1          eth2

Here are the steps I have taken to setup the bridge:

ifdown eth1
ifdown eth2

ifconfig eth1 0.0.0.0
ifconfig eth2 0.0.0.0

brctl addbr br0

brctl addif br0 eth1
brctl addif br0 eth2

ifconfig br0 0.0.0.0

When I ifconfig br0 I can see that rx packets are incrementing but tx 
packets are not incrementing. Are there any known issues with RH8.0 and 
brdiging? Thanks for helping.

Andy

Re: Bridging Firewall

[Francisco Medina Lopez]

you forgot one step, the whole procedure is like this:


brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
ifconfig eth0 0.0.0.0 promisc
ifconfig eth1 0.0.0.0 promisc
ifconfig br0 up             

ip link set eth0 up

ip addr add 172.16.41.211/24 brd + dev br0
ip route add default via 172.16.41.250




On Thu, 2003-03-27 at 14:20, Andrew J. Meader wrote:
> Hi All,
> 
> I am trying to set up a bridging firewall with Red Hat 8.0. I can not 
> get packets to flow from nic to nic.
> 
> Topology:
>        
>              br0
>                 |
>                 |
>         ------
>         |                |
>     eth1          eth2
> 
> Here are the steps I have taken to setup the bridge:
> 
> ifdown eth1
> ifdown eth2
> 
> ifconfig eth1 0.0.0.0
> ifconfig eth2 0.0.0.0
> 
> brctl addbr br0
> 
> brctl addif br0 eth1
> brctl addif br0 eth2
> 
> ifconfig br0 0.0.0.0
> 
> When I ifconfig br0 I can see that rx packets are incrementing but tx 
> packets are not incrementing. Are there any known issues with RH8.0 and 
> brdiging? Thanks for helping.
> 
> Andy
> 
>