Linux Bridge Firewall
From Cryptolife
This document describes how to install and configure a linux box with the role of Firewall-Bridge. Comments and feedback are welcome at :
What Is a Firewall-Bridge?
A firewall-bridge is usually a linux box that connects or separate two or more network segments with advanced packet and traffic control. The traffic filtering can be managed by ebtables or iptables.
Example:
[NETWORK GATEWAY]--------------------[Linux Firewall-Bridge]-----------------------[Servers]
(dedicated management interface) (Network switch)
192.168.0.1 192.168.1.3 192.168.0.2-254
Before starting:
eth0 is the interface that goes from the NETWORK GATEWAY to the Linux Firewall-Bridge (vice versa)
eth1 is the interface that goes from the Linux Firewall-Bridge to the Servers (vice versa)
eth3 is the dedicated management interface
Disable the startup DHCP scripts and don't set the ip address of the network cards assigned to the bridge,
in this case eth0 and eth1.
Install the brutils with:
apt-get install brutils
Creating the bridge:
ifconfig eth0 down ifconfig eth1 down brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl setfd br0 1 ifconfig eth0 up ifconfig eth1 up ifconfig br0 up
Remote management interface setup:
ifconfig eth3 192.168.0.2 route add default gw 192.168.0.1 echo "nameserver 192.168.0.1" > /etc/resolv.conf
Firewall-bridge setup:
#!/bin/bash IPT=/sbin/iptables #For default everything is blocked $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP #Enable the loopback interface $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT #enables the packet forwarding in the kernel echo "1" > /proc/sys/net/ipv4/ip_forward #Remote management interface setup. Ports 22,53,80. #ssh,dns,and port 80 for the updates via apt-get. EXT_INT="eth3" EXT_INT_TCP_IN="22" EXT_INT_UDP_IN="53" EXT_INT_TCP_OUT="22,80" EXT_INT_UDP_OUT="53" #Allow the traffic from and to the bridge machine. $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i $EXT_INT -p tcp -m multiport --dports $EXT_INT_TCP_IN -m state --state NEW -j ACCEPT $IPT -A OUTPUT -p tcp -m multiport --dports $EXT_INT_TCP_OUT -m state --state NEW -j ACCEPT #Forwarding the traffic to and from the servers $IPT -A FORWARD -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT # web server SERVER1="192.168.0.3" SERVER1_TCP_IN="22,80" SERVER1_UDP_IN="53" SERVER1_TCP_OUT="22,80" SERVER1_UDP_OUT="53" # allowed to the server 1 $IPT -A FORWARD -i br0 -p tcp -m multiport --dports $SERVER1_TCP_IN -d $SERVER1 -m state --state NEW -j ACCEPT $IPT -A FORWARD -i br0 -p udp -m multiport --dports $SERVER1_UDP_IN -d $SERVER1 -m state --state NEW -j ACCEPT # allowed from the server 1 $IPT -A FORWARD -i br0 -s $SERVER1 -p tcp -m multiport --dports $SERVER1_TCP_OUT -m state --state NEW -j ACCEPT $IPT -A FORWARD -i br0 -s $SERVER1 -p udp -m multiport --dports $SERVER1_UDP_OUT -m state --state NEW -j ACCEPT #vpn server SERVER2="192.168.0.4" SERVER2_TCP_IN="22" SERVER2_UDP_IN="53,1194" SERVER2_TCP_OUT="22,80" SERVER2_UDP_OUT="53,1194" # allowed to the server 2 $IPT -A FORWARD -i br0 -p tcp -m multiport --dports $SERVER2_TCP_IN -d $SERVER2 -m state --state NEW -j ACCEPT $IPT -A FORWARD -i br0 -p udp -m multiport --dports $SERVER2_UDP_IN -d $SERVER2 -m state --state NEW -j ACCEPT # allowed from the server 2 $IPT -A FORWARD -i br0 -s $SERVER2 -p tcp -m multiport --dports $SERVER2_TCP_OUT -m state --state NEW -j ACCEPT $IPT -A FORWARD -i br0 -s $SERVER2 -p udp -m multiport --dports $SERVER2_UDP_OUT -m state --state NEW -j ACCEPT
Troubleshooting:
To check if the Bridge is correctly forwarding the traffic to and from the server run as root:
tcpdump -i br0
References:
http://www.linuxfoundation.org/en/Net:Bridge
