* Bridging Firewall
@ 2003-03-27 20:20 Andrew J. Meader
2003-03-27 21:12 ` Francisco Medina Lopez
0 siblings, 1 reply; 4+ messages in thread
From: Andrew J. Meader @ 2003-03-27 20:20 UTC (permalink / raw)
To: netfilter
Hi All,
I am trying to set up a bridging firewall with Red Hat 8.0. I can not
get packets to flow from nic to nic.
Topology:
br0
|
|
------
| |
eth1 eth2
Here are the steps I have taken to setup the bridge:
ifdown eth1
ifdown eth2
ifconfig eth1 0.0.0.0
ifconfig eth2 0.0.0.0
brctl addbr br0
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig br0 0.0.0.0
When I ifconfig br0 I can see that rx packets are incrementing but tx
packets are not incrementing. Are there any known issues with RH8.0 and
brdiging? Thanks for helping.
Andy
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Bridging Firewall 2003-03-27 20:20 Bridging Firewall Andrew J. Meader @ 2003-03-27 21:12 ` Francisco Medina Lopez 0 siblings, 0 replies; 4+ messages in thread From: Francisco Medina Lopez @ 2003-03-27 21:12 UTC (permalink / raw) To: Andrew J. Meader; +Cc: netfilter you forgot one step, the whole procedure is like this: brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig eth0 0.0.0.0 promisc ifconfig eth1 0.0.0.0 promisc ifconfig br0 up ip link set eth0 up ip addr add 172.16.41.211/24 brd + dev br0 ip route add default via 172.16.41.250 On Thu, 2003-03-27 at 14:20, Andrew J. Meader wrote: > Hi All, > > I am trying to set up a bridging firewall with Red Hat 8.0. I can not > get packets to flow from nic to nic. > > Topology: > > br0 > | > | > ------ > | | > eth1 eth2 > > Here are the steps I have taken to setup the bridge: > > ifdown eth1 > ifdown eth2 > > ifconfig eth1 0.0.0.0 > ifconfig eth2 0.0.0.0 > > brctl addbr br0 > > brctl addif br0 eth1 > brctl addif br0 eth2 > > ifconfig br0 0.0.0.0 > > When I ifconfig br0 I can see that rx packets are incrementing but tx > packets are not incrementing. Are there any known issues with RH8.0 and > brdiging? Thanks for helping. > > Andy > > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Bridging Firewall
@ 2003-02-05 22:01 Tim Roberts
2003-02-06 0:07 ` Joel Newkirk
0 siblings, 1 reply; 4+ messages in thread
From: Tim Roberts @ 2003-02-05 22:01 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 7304 bytes --]
Hi, I successfully configured (I think) a bridging firewall using Script provided in David Whitmarsh's how too at http://www.sparkle-cc.co.uk/firewall/firewall.html I have a few questions as I am trying VERY hard to never have to see a Windows XXAnything disc again.
1.) I do not see anything other than IPTables starting up and learning.......in /var/log/messages. I have unremarked kernal* to point to /var/log/messages. I think the only logging being done is if a DOS occurrs. Based on his script, how do I enable more or any logging that will show me a little or alot of something? :)
2.) I have 2 NIC's both public (which is why I choose to bridge) In this script, I enabled the option to allow remote access from my LAN. However I cannot even ping.....from inside the LAN ,the specified address in the script to the firewall.
3.) The firewall cannot ping outside the LAN (which I could care less) but Im getting messages when the script runs that the machine cannot lookup or resolve FQDN's specified to be blocked.
Any help is greatly appreciated. Below is the script after I modified it. I am using REDHat 8.0 with IPTables Bridg Util Patch.
Tim Roberts
techlists@dsslink.net
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: David Whitmarsh
# (c) 2001, 2002 Sparkle Computer Co ltd.
# based on rc.firewall by Oskar Andreasson <blueflux@koffein.net>
# parts (c) of BoingWorld.com, use at your own risk,
# do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com and Sparkle Computer Co Ltd
#
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# BR_IP is used to access the firewall accross the network
# For maxium security don't set one up - but then you must do
# everything directly on the firewall.
BR_IP=65.173.10.254
BR_IFACE=br0
LAN_BCAST_ADDRESS=65.173.13.255
INTERNAL_ADDRESS_RANGE=65.173.120.0/22
INET_IFACE="eth1"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#
# Take down the interfaces before setting up the bridge
#
ifdown $INET_IFACE
ifdown $LAN_IFACE
ifconfig $INET_IFACE 0.0.0.0
ifconfig $LAN_IFACE 0.0.0.0
# Clean up for a restart
$IPTABLES -F
$IPTABLES -X
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# Our interfaces don't have IP addresses so we have to start with the mangle
# PREROUTING table
$IPTABLES -t mangle -P PREROUTING DROP
# Now we are pretty secure, let's start the bridge
# This will create a new interface
brctl addbr $BR_IFACE
# and add the interfaces to it
brctl addif $BR_IFACE $INET_IFACE
brctl addif $BR_IFACE $LAN_IFACE
# make us visible to the network again (optional)
if [ "$BR_IP" != "" ] ; then
ifconfig $BR_IFACE $BR_IP
else
# otherwise we must at least bring the interface up for the bridge to work.
ifconfig $BR_IFACE up
fi
# Block obvious spoofs
$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
# Accept internal packets on the internal i/f
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
# Accept external packets on the external i/f
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT # echo reply
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT # dest unreachable
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT # redirect
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # time exceeded
$IPTABLES -A FORWARD -p ICMP -j icmp_packets
#
# UDP ports
#
$IPTABLES -N udpincoming_packets
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT # DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT # ntp
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT # speakfreely
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT #icq
$IPTABLES -A FORWARD -p UDP -j udpincoming_packets
#
$IPTABLES -N tcp_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
# TCP rules
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 80 -j allowed # smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d lisa.sparkle-cc.co.uk --dport 6346 -j allowed # gnutella
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk --dport 25 -j allowed # smtp
$IPTABLES -A FORWARD -p TCP -j tcp_packets
#
# Input to the firewall itself. Leave these out if you don't want the firewall
# to be visible on the network at all.
# Note that the PREROUTING restrictions above mean that only packets form inside
# the firewall can fulfill the source condition. So the firewall machine should not be
# visible to the internet.
#
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $LAN_BCAST_ADDRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $BR_IFACE -s $INTERNAL_ADDRESS_RANGE -d $BR_IP -j ACCEPT
# But you *will* need this
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $BR_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level 7 --log-prefix "IPT OUTPUT packet died: "
[-- Attachment #2: Type: text/html, Size: 8369 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Bridging Firewall 2003-02-05 22:01 Tim Roberts @ 2003-02-06 0:07 ` Joel Newkirk 0 siblings, 0 replies; 4+ messages in thread From: Joel Newkirk @ 2003-02-06 0:07 UTC (permalink / raw) To: Tim Roberts; +Cc: netfilter On Wednesday 05 February 2003 05:01 pm, Tim Roberts wrote: > Hi, I successfully configured (I think) a bridging firewall using > Script provided in David Whitmarsh's how too at > http://www.sparkle-cc.co.uk/firewall/firewall.html I have a few > questions as I am trying VERY hard to never have to see a Windows > XXAnything disc again. > > 1.) I do not see anything other than IPTables starting up and > learning.......in /var/log/messages. I have unremarked kernal* to > point to /var/log/messages. I think the only logging being done is if > a DOS occurrs. Based on his script, how do I enable more or any > logging that will show me a little or alot of something? :) If you want to write something to the log during script execution, just use echo right in the script. Very handy for 'breakpoint' style debugging of the script. I'd suggest adding a prefix like "IPT:" to the echoed string, to make it easily greppable. Otherwise, use the "-j LOG" target to write log entries when matching packets hit the LOGging rule. (the same suggestion applies here, using "--log-prefix" parameter) > 2.) I have 2 NIC's both public (which is why I choose to bridge) In > this script, I enabled the option to allow remote access from my LAN. > However I cannot even ping.....from inside the LAN ,the specified > address in the script to the firewall. I've never worked hands-on with bridging, so I don't know if this is an effect of the set-up or not. Are you sure the interface is up with that IP? > 3.) The firewall cannot ping outside the LAN (which I could care less) > but Im getting messages when the script runs that the machine cannot > lookup or resolve FQDN's specified to be blocked. Try inserting "dig {FQDN}" in the script, it should output its results to the logfile as well, and you can look to see if DNS is working correctly at that point in the process... Generally it is much quicker, and technically safer, to specify IPs instead of FQDNs anyway. I've commented on a few (fragmented out-of-context) portions of the script below... > # Our interfaces don't have IP addresses so we have to start with the > mangle # PREROUTING table ??? I realize this is from the original script, but still: ??? > $IPTABLES -t mangle -P PREROUTING DROP You should never have anything but ACCEPT policy for any mangle table chains, nor for any nat table chains. Filter in the filter table. > # Now we are pretty secure, let's start the bridge > # This will create a new interface Simply setting DROP policy in INPUT, OUTPUT, and FORWARD chains is quite secure. So long as there are no rules in any of those chains, the ONLY thing that will ever see a packet is netfilter itself. > # Block obvious spoofs > > $IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP > $IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP > $IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP These should be done in the FORWARD chain of the filter table, and possibly in the INPUT chain of the filter table, NOT in any mangle table chains. > # Accept internal packets on the internal i/f > $IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s > $INTERNAL_ADDRESS_RANGE -j ACCEPT Again here. > $IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s > $INTERNAL_ADDRESS_RANGE -j ACCEPT Repeat after me: "FILTER in the FILTER table. MANGLE in the MANGLE table. NAT in the NAT table." :^) I don't care what Mr Whitmarsh's script and tutorial state, this is NOT what the mangle table is for, and is just generally a bad idea. For what you are doing in this setup, you don't even NEED the mangle table, or the nat table. > $IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT A good start, although some situations warrant tighter control on what the local clients are allowed to do. > $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG > --log-level 7 --log-prefix "IPT FORWARD packet died: " This doesn't make much sense. All this does is log ANY packet (well, actually only 3/minute maximum) that didn't come from INTERNAL_ADDRESS_RANGE and isn't part of or related to an ESTABLISHED connection, and refer to it as having 'died'. They haven't necessarily 'died', especially since there are more FORWARD rules below this point. > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT # echo reply > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT # dest unreachable > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT # redirect > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # time exceeded > $IPTABLES -A FORWARD -p ICMP -j icmp_packets These should all be caught by the "ESTABLISHED,RELATED" state rule above, since they are all 'response' type communications. > $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT # DNS > $IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT # ntp > $IPTABLES -A FORWARD -p UDP -j udpincoming_packets Same here. Since you are specifying source-port of 53 and 123, then these should only match replies coming back, which would already have matched "ESTABLISHED,RELATED". (However, someone could try to connect to ANY UDP port they want, and so long as the source-port is one of these, your firewall would allow the connection to be established!) > $IPTABLES -A tcp_packets -p TCP -s 0/0 -d springfield.sparkle-cc.co.uk > --dport 80 -j allowed # smtp If springfield.sparkle-cc.co.uk has a static IP, why not just use it here? That would circumvent your DNS lookup difficulties... For better readability, assign "SPRINGFIELD=w.x.y.z" at the top, and use $SPRINGFIELD here. (Nitpicking, but this is HTTP, not SMTP: of course, anyone who wouldn't realize this probably has no business digging through your firewall script anyway... :^) > $IPTABLES -A FORWARD -p TCP -j tcp_packets j ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-03-27 21:12 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-03-27 20:20 Bridging Firewall Andrew J. Meader 2003-03-27 21:12 ` Francisco Medina Lopez -- strict thread matches above, loose matches on Subject: below -- 2003-02-05 22:01 Tim Roberts 2003-02-06 0:07 ` Joel Newkirk
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.