Beginner Question on restricting traffic within the same subnet.

Beginner Question on restricting traffic within the same subnet.

[paddy joesoap]

Hi there,

Normally I think of firewalls as controlling packet flows that pass
through it (for example:Internet to Intranet).

Can netfilter also control traffic on the same subnet? Is this a
typical thing to do, or is it more normal to deploy local hosted
firewalls also on machines?

Suppose I had the following set up:
Internal Machines 1,2 and 3 are on the same subnet governed by the
netfilter firewall.

                                           ---------- Machine1
Internet ------ Netfilter Firewall ---------- Machine2
                                           ---------- Machine3

Suppose I don't want Machine1 communicating with Machine3. Assume eth0
is internal Netfilter interface. All machines are in the same subnet.
The Netfiler Firewall can be considered to also have typical linux box
with router capabilities.

Is it normal to have the firewall restrict this kind of local subnet
access even though it does not technically leave the network?

Would the rules be as follows:

iptables -A FORWRD -i eth0 -s Machine1IP -d Machine3IP -j DROP
iptables -A FORWRD -o eth0 -s Machine1IP -d Machine3IP -j DROP
iptables -A FORWRD -i eth0 -s Machine3IP -d Machine1IP -j DROP /*
redundant to previous rules? */
iptables -A FORWRD -o eth0 -s Machine3IP -d Machine1IP -j DROP /*
redundant to previous rules? */
iptables -A FORWRD -i eth0 -s anyIP -d anyIP -j ACCEPT /* allow
Machine1 talk to Machine2 and vice versa. Allow Machine3 talk to
Machine2 and vice versa.*/
iptables -A FORWRD -o eth0 -s anyIP -d any3IP -j ACCEPT /* allow
Machine1 talk to Machine2 and vice versa. Allow Machine3 talk to
Machine2 and vice versa.*/

Re: Beginner Question on restricting traffic within the same subnet.

[Pascal Hambourg]

Hello,

paddy joesoap a écrit :
> 
> Normally I think of firewalls as controlling packet flows that pass
> through it (for example:Internet to Intranet).
> 
> Can netfilter also control traffic on the same subnet?

Yes, if the traffic passes through it. This can be done by setting up a
filtering bridge using bridge-nf : the IP packets in bridged ethernet
frames will be filtered by iptables rules.

> Suppose I had the following set up:
> Internal Machines 1,2 and 3 are on the same subnet governed by the
> netfilter firewall.
> 
>                                    ---------- Machine1
> Internet ------ Netfilter Firewall ---------- Machine2
>                                    ---------- Machine3

Does the Firewall bridge Machine1-3 together (and thus have a separate
ethernet interface for each one) or is there an ethernet switch between
them ? A switch won't pass the traffic between Machine1-3 to the Firewall.

Re: Beginner Question on restricting traffic within the same subnet.

[paddy joesoap]

Hi Pascal,

On Mon, Nov 2, 2009 at 3:51 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> paddy joesoap a écrit :
>>
>> Normally I think of firewalls as controlling packet flows that pass
>> through it (for example:Internet to Intranet).
>>
>> Can netfilter also control traffic on the same subnet?
>
> Yes, if the traffic passes through it. This can be done by setting up a
> filtering bridge using bridge-nf : the IP packets in bridged ethernet
> frames will be filtered by iptables rules.

I need to do some reading here. So thanks for this. But once I form a
"bridge", I can then apply standard iptables rules, right? Will it
only inspect packets at layer 2 and not layer 3,4 and 7? Again, I
better read about the area before posing such questions.

>
>> Suppose I had the following set up:
>> Internal Machines 1,2 and 3 are on the same subnet governed by the
>> netfilter firewall.
>>
>>                                    ---------- Machine1
>> Internet ------ Netfilter Firewall ---------- Machine2
>>                                    ---------- Machine3
>
> Does the Firewall bridge Machine1-3 together (and thus have a separate
> ethernet interface for each one) or is there an ethernet switch between
> them ? A switch won't pass the traffic between Machine1-3 to the Firewall.

I was thinking of a typical SOHO router (combined switch, routing, nat
and firewall) or a simple standalone linux box that has a switch (even
outdated hub!) connected to it and then the 3 machines on the far side
of the switch.

This is currently just a hypothetical question.

I presumed that given a firewall can examine packets from the internal
network outbound, that it can also examine packets that are never
routed externally.

Maybe, for example, I have a laptop, a server and printer in my
network. Perhaps only the laptop can print and access the server. The
printer cannot communicate with the server.

Now, I know I can install netfilter locally on the server and even TCP
wrapper but I am interested to know from a security in depth point of
view, if a firewall also control access amongst machines/systems on
the same network? (filter by ip addresses on the same subnet. I
presume the firewall machine needs also be a router).



> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Beginner Question on restricting traffic within the same subnet.

[Pascal Hambourg]

paddy joesoap a écrit :
> 
> I need to do some reading here. So thanks for this. But once I form a
> "bridge", I can then apply standard iptables rules, right? Will it
> only inspect packets at layer 2 and not layer 3,4 and 7? Again, I
> better read about the area before posing such questions.

If enabled, bridge-nf extracts the IP packet from the ethernet frame
payload and passes it to iptables. iptables rules inspect the IP packet
as usual, except that -i|-o match the bridge name and --physdev-in|out
match the bridge physical interfaces.

If you only need to do basic filtering based on interfaces or IP
addresses, you can simply do it with ebtables. bridge-nf and iptables
are useful for more advanced IP filtering that ebtables cannot do.

Information about bridge-nf aka bridge-netfilter is available in the
documentation section of <http://ebtables.sourceforge.net/>.

>>> Internal Machines 1,2 and 3 are on the same subnet governed by the
>>> netfilter firewall.
>>>                                    ---------- Machine1
>>> Internet ------ Netfilter Firewall ---------- Machine2
>>>                                    ---------- Machine3
>>
>> Does the Firewall bridge Machine1-3 together (and thus have a separate
>> ethernet interface for each one) or is there an ethernet switch between
>> them ? A switch won't pass the traffic between Machine1-3 to the Firewall.
> 
> I was thinking of a typical SOHO router (combined switch, routing, nat
> and firewall) or a simple standalone linux box that has a switch (even
> outdated hub!) connected to it and then the 3 machines on the far side
> of the switch.

With a SOHO router, it depends on how the built-in switch works. If each
ethernet port is or can be set as a separate interface (possibly through
the use of VLANs), then you can build a Linux bridge and inspect bridged
traffic with ebtables or bridge-nf + iptables. Otherwise, a plain
switch, either built-in or external) won't allow you to inspect LAN
traffic. Traffic between two machines will just flow through the switch
without hitting the firewall.

> This is currently just a hypothetical question.
> 
> I presumed that given a firewall can examine packets from the internal
> network outbound, that it can also examine packets that are never
> routed externally.
[...]
> Now, I know I can install netfilter locally on the server and even TCP
> wrapper but I am interested to know from a security in depth point of
> view, if a firewall also control access amongst machines/systems on
> the same network? (filter by ip addresses on the same subnet. I
> presume the firewall machine needs also be a router).

A firewall can only inspect packets that pass through it. If it is
connected to a port of a switch, it won't see the traffic of the other
ports. The switch is the only one that can see and inspect the traffic.
A Linux bridge is just that : a software switch with filtering capabilities.

Re: Beginner Question on restricting traffic within the same subnet.

[paddy joesoap]

>> I was thinking of a typical SOHO router (combined switch, routing, nat
>> and firewall) or a simple standalone linux box that has a switch (even
>> outdated hub!) connected to it and then the 3 machines on the far side
>> of the switch.
>
> With a SOHO router, it depends on how the built-in switch works. If each
> ethernet port is or can be set as a separate interface (possibly through
> the use of VLANs), then you can build a Linux bridge and inspect bridged
> traffic with ebtables or bridge-nf + iptables. Otherwise, a plain
> switch, either built-in or external) won't allow you to inspect LAN
> traffic. Traffic between two machines will just flow through the switch
> without hitting the firewall.
>

I'll look into etables, thanks for the pointer.

My home router is a Linksys WRT54GL with a 4 port switch. I have
installed DD-WRT on it.

I just presumed, at least on a home network SOHO, that I could control
access to internal LAN devices at the iptables rules level (layers 3,4
and 7 if l7-filter is inbuilt).

I just took a quick look at switches and see they perform rudimentary
routing at layer 2. So thanks for clearing that up. I'll do a bit of
reading into etables.

If I understood what you said about firewalls and switches in broad
terms (possibly in an enterprise setting)  I can essentially  "trick",
for a want of a better term, the switch to forward all traffic to the
firewall for inspection regardless if the packets are outbound or not.

Re: Beginner Question on restricting traffic within the same subnet.

[Pascal Hambourg]

paddy joesoap a écrit :
>>
>> With a SOHO router, it depends on how the built-in switch works. If each
>> ethernet port is or can be set as a separate interface (possibly through
>> the use of VLANs), then you can build a Linux bridge and inspect bridged
>> traffic with ebtables or bridge-nf + iptables.
[...]
> My home router is a Linksys WRT54GL with a 4 port switch. I have
> installed DD-WRT on it.

It looks like the built-in switch of the WRT54GL is VLAN-capable, so it
should be possible to set each LAN port in a different VLAN, create VLAN
interfaces for each VLAN on the internal interface eth0 (like the WAN
port and its corresponding VLAN interface vlan1, cf. internal diagram
e.g. at <http://gablog.eu/online/node/24>) and bridge them together.
Oops, I don't know whether DD-WRT supports ebtables or has bridge-nf
enabled.

> If I understood what you said about firewalls and switches in broad
> terms (possibly in an enterprise setting)  I can essentially  "trick",
> for a want of a better term, the switch to forward all traffic to the
> firewall for inspection regardless if the packets are outbound or not.

It is possible, but I didn't mean that. I meant that the switch itself
could act as a firewall, if it is sophisticated enough.

Re: Beginner Question on restricting traffic within the same subnet.

[paddy joesoap]

Thanks for this insightful information Pascal.

I'll take stock and get reading :-)

On Mon, Nov 2, 2009 at 10:23 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> paddy joesoap a écrit :
>>>
>>> With a SOHO router, it depends on how the built-in switch works. If each
>>> ethernet port is or can be set as a separate interface (possibly through
>>> the use of VLANs), then you can build a Linux bridge and inspect bridged
>>> traffic with ebtables or bridge-nf + iptables.
> [...]
>> My home router is a Linksys WRT54GL with a 4 port switch. I have
>> installed DD-WRT on it.
>
> It looks like the built-in switch of the WRT54GL is VLAN-capable, so it
> should be possible to set each LAN port in a different VLAN, create VLAN
> interfaces for each VLAN on the internal interface eth0 (like the WAN
> port and its corresponding VLAN interface vlan1, cf. internal diagram
> e.g. at <http://gablog.eu/online/node/24>) and bridge them together.
> Oops, I don't know whether DD-WRT supports ebtables or has bridge-nf
> enabled.
>
>> If I understood what you said about firewalls and switches in broad
>> terms (possibly in an enterprise setting)  I can essentially  "trick",
>> for a want of a better term, the switch to forward all traffic to the
>> firewall for inspection regardless if the packets are outbound or not.
>
> It is possible, but I didn't mean that. I meant that the switch itself
> could act as a firewall, if it is sophisticated enough.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>