Copy Link
Add to Bookmark
Report

Linux Transparent Firewall (Bridge Firewall, Layer 2)

hacker's profile picture
Published in 
2600 Salt Lake City
 · 5 years ago

 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=

-= Linux Transparent Firewall (Bridge Firewall, Layer 2) =-

-= By Mutilator =-
-= muti@hektik.org =-

-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

http://bridge.sourceforge.net/docs/Firewalling%20for%20Free.pdf




Download bridge-utils package

Download kernel source 2.4.18 and extract (/usr/src/) or use Redhat kernel RPM's w/ patched code.

Download netfilter (latest version that will work with 2.4.18)

Download bridge/iptables kernel patch and patch (patch -p1 < bridge-nf-yadayada.diff)

Compile kernel, enable experimental during config

Enable network packet filtering and all subsequent options

Enable 802.1d bridging and netfilter firewalling support

Restart, extract and compile bridge-utils

Setup interfaces/bridge/firewall (see /etc/rc.d/rc.inet1)




/etc/rc.d/rc.inet1 (slackware)

HOSTNAME=`cat /etc/HOSTNAME`

/sbin/ifconfig lo 127.0.0.1

/sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo

/usr/sbin/brctld

/usr/sbin/brctl addbr brg0

/usr/sbin/brctl addif brg0 eth0

/usr/sbin/brctl addif brg0 eth1

/sbin/ifconfig eth0 0.0.0.0 promisc

/sbin/ifconfig eth1 0.0.0.0 promisc

/sbin/ifconfig brg0 200.200.59.216 promisc

/sbin/route add default gw 200.200.59.1

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc

/etc/rc.d/rc.firewall




/etc/rc.d/rc.firewall (slackware)

iptables -F # Flush all rules

iptables -X # Delete user created chains




# CHAIN CREATION




# Create chain valid_traffic

iptables -N valid_traffic

iptables -A valid_traffic -m state --state INVALID -j DROP # Drop bad states

iptables -A valid_traffic -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept related/established







# Create chain for allow list

iptables -N all_allow

iptables -A all_allow -s 200.200.59.102 -j ACCEPT # Damon

iptables -A all_allow -s 200.200.59.103 -j ACCEPT # Shyra

iptables -A all_allow -s 200.200.59.100 -j ACCEPT # Chris

iptables -A all_allow -s 200.200.59.226 -j ACCEPT # Steve

iptables -A all_allow -s 200.200.59.106 -j ACCEPT # VOIP Gateway out

iptables -A all_allow -d 200.200.59.106 -j ACCEPT # VOIP Gateway in







# Create chain for all ICMP packets

iptables -N icmp_packets

iptables -A icmp_packets -p icmp --icmp-type 8/0 -s 200.200.59.0/24 -j ACCEPT # Allow echo req out







# Create chain for all UDP packets

iptables -N udp_packets

iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 53 -j ACCEPT # DNS out

iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 123 -j ACCEPT # NTP out

iptables -A udp_packets -p udp -d 200.200.59.100 --dport 53 -j ACCEPT # DNS in

iptables -A udp_packets -p udp -d 200.200.59.101 --dport 53 -j ACCEPT # (only allow to local DNS)







# Create chain for TCP packets in

iptables -N tcp_in

iptables -A tcp_in -p tcp -d 200.200.59.0/24 --dport 113 -j ACCEPT # Identd in

iptables -A tcp_in -p tcp -m multiport -d 200.200.59.101 --dport 80,443 -j ACCEPT # ORG Main web

iptables -A tcp_in -p tcp -m multiport -d 200.200.59.104 --dport 80,443 -j ACCEPT # Server in

iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 80 -j ACCEPT # ORG IT Web in

iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 25 -j ACCEPT # SMTP Server

iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 110 -j ACCEPT # POP

iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 21 -j ACCEPT # FTP Server







# Create chain for TCP packets out

iptables -N tcp_out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 80 -j ACCEPT # WWW out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 443 -j ACCEPT # Secure WWW out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 22 -j ACCEPT # SSH out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 21 -j ACCEPT # FTP out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 23 -j ACCEPT # Telnet out

iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 5190 -j ACCEPT # AIM out

iptables -A tcp_out -p tcp -s 200.200.59.217 --dport 25 -j ACCEPT # SMTP out (only on mail server)

# END CHAIN CREATION










# BEGIN PACKET TRAVERSAL

iptables -t mangle -A PREROUTING -i eth1 -s 200.200.59.0/24 -j ACCEPT # Drop spoofed packets

iptables -t mangle -A PREROUTING -i eth0 ! -s 200.200.59.0/24 -j ACCEPT




iptables -A FORWARD -j valid_traffic # Pass all boxes to valid_traffic (check state)

iptables -A FORWARD -j all_allow # Check IP allow list

iptables -A FORWARD -p icmp -j icmp_packets # Send to ICMP packets chain if ICMP packet

iptables -A FORWARD -p udp -j udp_packets # Send to UDP packets chain if UDP packet

iptables -A FORWARD -p tcp -d 200.200.59.0/24 -j tcp_in # Pass incoming TCP to tcp_in chain

iptables -A FORWARD -p tcp -s 200.200.59.0/24 -j tcp_out # Pass outgoing TCP to tcp_out chain

iptables -A FORWARD -p tcp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # Allow carbon copy in/out

iptables -A FORWARD -p udp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # (Annoying exception)




iptables -A FORWARD -j DROP # Drop anything that didn't match

# END PACKET TRAVERSAL

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-
� 2600SLC.ORG 2002
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT