Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Re: Firewall confusion
  • From: John Bland <shrike@xxxxxxxxxxxxx>
  • Date: Fri, 27 Jul 2001 20:15:38 +0100 (BST)
  • Message-id: <Pine.LNX.4.31.0107272003470.17264-100000@xxxxxxxxxxxxxxxxxxx>

> Isn't there *any* HOWTO on doing this? Invisible firewalling like this
> seems, on the face of it, a neat and simple drop in to an existing
> network, but the routing is a nightmare.

Ok, I've finally found a solution.

It's with Lennert Buytenhek's Bridge+Firewall code (see
http://bridge.sourceforge.net/ for more info) applying the bridge+firewall
patches to a stock 2.2.19 kernel.

All the traffic for our lab now goes through a knackered old P100 with two
NICs, one to outside, one to our primary hub. The birdge currently has an
ip which is great for setting it up via ssh, but once it's settled that
will be disabled and it will become all but totally transparent to the
network.

First get the bridging to work (there's a good HOWTO for this at
http://www.bnhof.de/~uwe/bridge-stp-howto/BRIDGE-STP-HOWTO/ ).

Then following the instructions there about bridging+ipchains you can set
up ipchains filters. It's not quite as versatile as normal firewalling but
it certainly does the job for most things. There is also iptables support
which is even better although it's not as tested yet and I couldn't get it
to work.

Here's an example ipchains script (definitely not real world but shows
what's going on, the rules are a bit different for the bridging firewall
as opposed to a standard one it seems to me):

-----------
#!/bin/bash

ipchains -F
ipchains -X
ipchains -Z

ipchains -N br0 # create chain with same name as the bridge device

# ingress rules

ipchains -N Iall
ipchains -A Iall -p tcp -d 138.253.x.x 80 -j ACCEPT # allow http traffic to a machine
ipchains -A Iall -p tcp -d 138.253.x.0/24 22 -j ACCEPT # allow ssh in to anything on our subnet
ipchains -A Iall -p tcp ! -y -j ACCEPT # allow data for established connections
ipchains -A Iall -p tcp -j DENY -l # deny and log the rest

# egress rules

ipchains -N Oall
ipchains -A Oall -p tcp -s 138.253.148.0/24 -d 0.0.0.0/0 23 -j ACCEPT # allow internal machines to telnet out
ipchains -A Oall -p tcp ! -y -j ACCEPT # allow data for established connections
ipchains -A Oall -p tcp -j DENY -l # deny and log the rest

# main bridge chain

ipchains -A br0 -i eth1 -j Iall # jump to Iall chain for incoming
ipchains -A br0 -i eth0 -j Oall # jump to Oall chain for outgoing
-----------

I hope this might be of use to anyone else in a similar situation.

Many thanks for the replies both on and off the list, it's been highly
educational.

JB

--
John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin
Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group
http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University
"Everybody relax, I'm here." -- Jack Burton


< Previous Next >
References