免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1481 | 回复: 0

[网络管理] FW:Building a Bridging Firewall with Linux [复制链接]

论坛徽章:
0
发表于 2008-10-29 23:26 |显示全部楼层
Building a Bridging Firewall with Linux
www.internetsolver.com | Other Linux Documents
By David Weis with Internet Solver, LLC

Building an invisible firewall
Why and How
Wouldn't you like to have a firewall you could drop in on any network that didn't required network renumbering and could protect any device? You can build such a device with Linux using 802.1d briding and iptables.

Bridging makes your Linux machine into a very large and expensive Ethernet switch. You can put 2 or more NIC's in the machine and send packets from one segment out to another based entirely on MAC address. This will work for any protocol, not just TCP/IP.

This would be useful if you don't have administrative control over your upstream routers, or have sensitive machines to protect but don't want to set up a full routed network.

Of course you didn't spend hundreds or thousands of dollars to take the place of a $30 100BaseT switch (I hope). The exciting part is when you can transparently block and alter packets as they traverse your bridge. You can get the same blocking and mangling effect with the low-quality HP ProCurve switches, but good luck picking what gets mangled.

Getting Started
You will need a mid-range machine capable of running Linux with at least two NIC's. Try to get decent cards such as Intel EtherExpress Pro or 3Com 3C90X cards. Every single packet on each of these wires will need to be inspected, so don't cut corners on the cards.

I used RedHat 7.3 for the OS on my machine. It doesn't make too much difference, but they do include the utilities that you will need and one of the bridging code authors makes a kernel RPM available. No services will be listening at all on this machine, so network security won't be hard.

Do a minimal installation, you should be able to get it under 1 gig. Include kernel development and development tools, in case you need to recompile. You shouldn't have to, but it's easier now. Leave the network cables unconnected and give the NIC's any random IP. They won't be used.
Configuration

After the installation is complete, remove the files /etc/sysconfig/network-scripts/ifcfg-eth*. The bridge won't work if the underlying NIC's have addresses assigned to them. Also, use ntsysv to turn off any services that are listening to the network, like xinetd, sshd, portmap, and nfslocking. You can manually stop the services now also, or reboot and check again if you don't know how (hint: service sshd stop).

Grab the file bridge and drop it in /etc/rc.d/init.d/. Run chkconfig --level 345 bridge on. This will take care of creating the bridge device and adding the NIC's to the bridge.

You will also need to install the bridge-utils rpm. You can get it from your RedHat CD's or download it from ftp://rpmfind.net/linux/redhat/7 ... s-0.9.3-4.i386.rpm.

Next, grab the bridge+netfilter kernels from http://www.math.leidenuniv.nl/~buytenh/bridge-nf-rpms/. If you are using RedHat 7.3, you can just rpm --upgrade kernel-2.4.18-10brnf0.0.7.i686.rpm. It will adjust your grub.conf automatically for you. Reboot and cross your fingers. Watch for error messages.

At this point, you should be able to insert the bridging firewall into your network and everything will work just like it did before. Below is a diagram of a suggested configuration:

      192.168.1.10  192.168.1.5
      +----------+  +----------+
      | Desktop  |  | Server   |
      +-----+----+  +-----+----+
            |             |         eth1    eth0   192.168.1.1
            |             |         +----------+     +----------+
            +-------------+---------| Firewall |-----| Router   |-- Internet
                                    +----------+     +----------+

You should be able to ping the router and get to the Internet. There is a delay of 10-30 seconds while the bridge determines what is on each side and waits to forward packets. You can check what the bridge is doing by running brctl showstp br0 and check the status of each interface. If it doesn't show LEARNING or FORWARDING, something is probably wrong. If they are listed as DISABLED, you haven't brought up your underlying NIC's.

After your network is behaving like it did before you started messing with it, we can do the firewalling. I have put sample IP addresses on the devices above. Notice there isn't one on the firewall. It will be mostly invisible and not require and IP address.

We will say that our network policy allows incoming SMTP, ssh, and POP-3 to the server, and nothing to the client machine. Our firewall commands will look like this:

# allows connection tracking support, needed
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# enables connection tracking, needed
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# allows all outbound traffic
iptables -A FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT

# allow inbound services
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.1.5 --destination-port smtp -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.1.5 --destination-port pop-3 -j ACCEPT
iptables -A FORWARD --in-interface eth0 --out-interface eth1 -p tcp -d 192.168.1.5 --destination-port ssh -j ACCEPT

# drop everything else
iptables -A FORWARD --in-interface eth0 --out-interface eth1  -d \! 192.168.1.5 -j REJECT

You can download this file as a text file.

After running these commands and verifying that they work as you anticipate, run /etc/rc.d/init.d/iptables save and chkconfig --level 345 iptables on to save your firewall rules and apply them at boot.

If you really, really think you need to have an IP address on the firewall, you can give one to the interface br0. DO NOT give an IP to eth0 or eth1, bad things will happen. I'm not sure what, but the bridging docs told me so.
Closing
At this point you should have a functioning network with slightly less traffic that you had before.

Links

    * Linux Bridging home
    * Bridge+Firewall Kernels for RH 7.3
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

SACC2019中国系统架构师大会

【数字转型 架构演进】SACC2019中国系统架构师大会,8.5折限时优惠重磅来袭!
2019年10月31日~11月2日第11届中国系统架构师大会(SACC2019)将在北京隆重召开。四大主线并行的演讲模式,1个主会场、20个技术专场、超千人参与的会议规模,100+来自互联网、金融、制造业、电商等领域的嘉宾阵容,将为广大参会者提供一场最具价值的技术交流盛会。

限时8.5折扣期:2019年9月30日前


----------------------------------------

大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP