Copy Link
Add to Bookmark
Report
Linux Transparent Firewall (Bridge Firewall, Layer 2)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
-= Linux Transparent Firewall (Bridge Firewall, Layer 2) =-
-= By Mutilator =-
-= muti@hektik.org =-
-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
http://bridge.sourceforge.net/docs/Firewalling%20for%20Free.pdf
Download bridge-utils package
Download kernel source 2.4.18 and extract (/usr/src/) or use Redhat kernel RPM's w/ patched code.
Download netfilter (latest version that will work with 2.4.18)
Download bridge/iptables kernel patch and patch (patch -p1 < bridge-nf-yadayada.diff)
Compile kernel, enable experimental during config
Enable network packet filtering and all subsequent options
Enable 802.1d bridging and netfilter firewalling support
Restart, extract and compile bridge-utils
Setup interfaces/bridge/firewall (see /etc/rc.d/rc.inet1)
/etc/rc.d/rc.inet1 (slackware)
HOSTNAME=`cat /etc/HOSTNAME`
/sbin/ifconfig lo 127.0.0.1
/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo
/usr/sbin/brctld
/usr/sbin/brctl addbr brg0
/usr/sbin/brctl addif brg0 eth0
/usr/sbin/brctl addif brg0 eth1
/sbin/ifconfig eth0 0.0.0.0 promisc
/sbin/ifconfig eth1 0.0.0.0 promisc
/sbin/ifconfig brg0 200.200.59.216 promisc
/sbin/route add default gw 200.200.59.1
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall (slackware)
iptables -F # Flush all rules
iptables -X # Delete user created chains
# CHAIN CREATION
# Create chain valid_traffic
iptables -N valid_traffic
iptables -A valid_traffic -m state --state INVALID -j DROP # Drop bad states
iptables -A valid_traffic -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept related/established
# Create chain for allow list
iptables -N all_allow
iptables -A all_allow -s 200.200.59.102 -j ACCEPT # Damon
iptables -A all_allow -s 200.200.59.103 -j ACCEPT # Shyra
iptables -A all_allow -s 200.200.59.100 -j ACCEPT # Chris
iptables -A all_allow -s 200.200.59.226 -j ACCEPT # Steve
iptables -A all_allow -s 200.200.59.106 -j ACCEPT # VOIP Gateway out
iptables -A all_allow -d 200.200.59.106 -j ACCEPT # VOIP Gateway in
# Create chain for all ICMP packets
iptables -N icmp_packets
iptables -A icmp_packets -p icmp --icmp-type 8/0 -s 200.200.59.0/24 -j ACCEPT # Allow echo req out
# Create chain for all UDP packets
iptables -N udp_packets
iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 53 -j ACCEPT # DNS out
iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 123 -j ACCEPT # NTP out
iptables -A udp_packets -p udp -d 200.200.59.100 --dport 53 -j ACCEPT # DNS in
iptables -A udp_packets -p udp -d 200.200.59.101 --dport 53 -j ACCEPT # (only allow to local DNS)
# Create chain for TCP packets in
iptables -N tcp_in
iptables -A tcp_in -p tcp -d 200.200.59.0/24 --dport 113 -j ACCEPT # Identd in
iptables -A tcp_in -p tcp -m multiport -d 200.200.59.101 --dport 80,443 -j ACCEPT # ORG Main web
iptables -A tcp_in -p tcp -m multiport -d 200.200.59.104 --dport 80,443 -j ACCEPT # Server in
iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 80 -j ACCEPT # ORG IT Web in
iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 25 -j ACCEPT # SMTP Server
iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 110 -j ACCEPT # POP
iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 21 -j ACCEPT # FTP Server
# Create chain for TCP packets out
iptables -N tcp_out
iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 80 -j ACCEPT # WWW out
iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 443 -j ACCEPT # Secure WWW out
iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 22 -j ACCEPT # SSH out
iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 21 -j ACCEPT # FTP out
iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 23 -j ACCEPT # Telnet out
iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 5190 -j ACCEPT # AIM out
iptables -A tcp_out -p tcp -s 200.200.59.217 --dport 25 -j ACCEPT # SMTP out (only on mail server)
# END CHAIN CREATION
# BEGIN PACKET TRAVERSAL
iptables -t mangle -A PREROUTING -i eth1 -s 200.200.59.0/24 -j ACCEPT # Drop spoofed packets
iptables -t mangle -A PREROUTING -i eth0 ! -s 200.200.59.0/24 -j ACCEPT
iptables -A FORWARD -j valid_traffic # Pass all boxes to valid_traffic (check state)
iptables -A FORWARD -j all_allow # Check IP allow list
iptables -A FORWARD -p icmp -j icmp_packets # Send to ICMP packets chain if ICMP packet
iptables -A FORWARD -p udp -j udp_packets # Send to UDP packets chain if UDP packet
iptables -A FORWARD -p tcp -d 200.200.59.0/24 -j tcp_in # Pass incoming TCP to tcp_in chain
iptables -A FORWARD -p tcp -s 200.200.59.0/24 -j tcp_out # Pass outgoing TCP to tcp_out chain
iptables -A FORWARD -p tcp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # Allow carbon copy in/out
iptables -A FORWARD -p udp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # (Annoying exception)
iptables -A FORWARD -j DROP # Drop anything that didn't match
# END PACKET TRAVERSAL
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
� 2600SLC.ORG 2002
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-