Transparent Firewall

Kernel Linux 2.6 or 2.4 (with patch) with bridge firewall option enabled
If you want to use the Version 2.4 kernel, please search in patchnya http://ebtables.sourceforge.net/. 2.6 kernel already include these facilities, so no need patched again.

Here it is assumed that the kernel is fine, and stayed install other programs needed to run the bridge. Computers are used which has 2 NICs eth0 and eth1.

2. Installation & Configuration
As usual, to install the debian package we use apt-get.

root:~# apt-get install bridge-utils iptables

If you do not use other distributions you can download the source code for both programs and that the http://www.iptables.org/files/ http://bridge.sourceforge.net/. Guide the installation process can follow the README / INSTALL included in the tarball you downloaded.

Programs that we get from the bridge-utils is brctl. This program is set up all sorts of parts of the bridge began to manufacture, removal, addition of the bridge, and so on. Create a bridge interface (br0), and add the interface to the new bridge interface created.

root:~# brctl addbr br0
root:~# brctl addif br0 eth0
root:~# brctl addif br0 eth1
root:~# ifconfig eth0 0
root:~# ifconfig eth1 0

Delete an IP address on eth0 and eth1, and if this bridge will be assigned an IP address to the address given is br0. Another interface must remain on without having their own IP address. Later, the two existing ethernet will respond to any requests that enter the IP address of the bridge.

Try to network memping outside your network. When smooth, meaning the bridge has been going well. So that every boot we do not repeat the steps above then edit the file / etc / network / interfaces and add the necessary configuration. Example of my file is below.

auto br0
iface br0 inet static
address 10.11.12.3
netmask 255.255.255.0
network 10.11.12.0
broadcast 10.11.12.255
gateway 10.11.12.1
bridge_ports eth0 eth1

Note: notice that the configuration items in bold.

Also make sure you enable IP forwarding by executing the following command every time the computer boots.

root: ~ # echo 1> / proc/sys/net/ipv4/ip_forward

In addition to the manual way you can also edit the file / etc / network / options.


ip_forward=yes
spoofprotect=yes
syncookies=no


Now you can configure iptables to do the filtering of data packets passing through this firewall. Iptables will not be discussed in depth here. Just info, filtering is done in table filter chain FORWARD. Example:

root:~# iptables -t Filter -A FORWARD -s 0.0.0.0 -d 10.11.12.0/24 -p tcp --dport 23 -j DROP
root:~# iptables -t Filter -A FORWARD -s 0.0.0.0 -d 10.11.12.0/24 -p tcp --dport 25 -j DROP
root:~# iptables -t Filter -A FORWARD -s 0.0.0.0 -d 10.11.12.0/24 -p udp --dport 161 -j DROP

Pieces instructions above iptables filtering packets from outside our network that will access the telnet port, smtp, and snmp. Add another filter in accordance with what you need.

Keep the commands you run in a script. Sh and change the file permissions to be executable (executable). Arrange for the file every time diekseuksi boot. There are several ways to do it, the easiest is to add an entry in / etc / network / interfaces. If iptables script is stored in / etc / init.d / aturanfirewall.sh you can add the following line under the entry br0.

up command /etc/init.d/aturanfirewall.sh


Thus the contents of the file / etc / network / interfaces to be as below.

auto br0
iface br0 inet static
address 10.11.12.3
netmask 255.255.255.0
network 10.11.12.0
broadcast 10.11.12.255
gateway 10.11.12.1
bridge_ports eth0 eth1
up command /etc/init.d/aturanfirewall.sh


By using a small bash script to output memparsing command "iptables-FORWARD nvL" you can monitor activities such filtering:)

---------------------------------------------------------+
| I/O Total | 95M Packets 62G Bytes |
+-------------+---------------------+---------------------+
| | Traffic In | Traffic Out |
| Filter +----------+----------+----------+----------+
| | Byte | Packet | Byte | Packet |
+-------------+----------+----------+----------+----------+
| Ping Blaster| 0 | 0 | 23184 | 252 |
| udp 69 | 0 | 0 | 0 | 0 |
| udp 135 | 0 | 0 | 0 | 0 |
| udp 137 | 38298 | 491 | 9828 | 126 |
| udp 138 | 534 | 2 | 1343 | 5 |
| udp 445 | 0 | 0 | 0 | 0 |
| udp 161 | 3672 | 54 | 0 | 0 |
| tcp 23 | 912 | 19 | 0 | 0 |
| tcp 135 | 47520 | 990 | 1584 | 33 |
| tcp 445 | 1027K | 21402 | 15180 | 316 |
| tcp 593 | 0 | 0 | 0 | 0 |
| tcp 4444 | 528 | 12 | 864 | 18 |
+-------------+----------+----------+----------+----------+

3. Note Pinggir
From some experiments I did, high-quality Ethernet helps smooth the firewall work. All kinds of Ethernet which uses the 8139too driver causing frequent traffic firewall, and regularly have to direboot once a week. After ethernet Intel EtherExpress replaced with 100 and 3Com 3c905B everything went smoothly without interruption. AMD Lance pcnet32 also showed good results. If you have any other experience I am very happy for them available here.

Ressa Restullah (May 30, 2005) - bridge made Mas Ressa was not going well, because one ethnya interface connected to the Cisco 1700. According to news from ISPnya, the problem arises because there are facilities "auto negotiation" is owned router. This problem disappeared after a deadly Ressa Mas auto-negotiation on the router & bridge, and use cross cable to connect the router with bridgenya. Also, try to interface to the bridge and router type. If the router using FastEthernet, then use FastEthernet also to bridgenya:)

4. Referensi
http://ebtables.sourceforge.net
Securing Debian Manual
Milis tanya-jawab@linux.or.id
http://www.google.com :D