Welcome to the Linux Foundation Forum!
Why don't these ebtables rules work right?
debianfirewall
Posts: 5
This is on a bridging firewall
eth0 it das internaught
eth1 is the trusted network
It is supposed to allow port 22 in from the internet (works)
and allow a specific box to connect to http and https server,
and allow nothing else for now out or in. It also is supposed to makesure no ip spoofing of the specific box happens.
The port 22 in works.
The http and https out doesn't
###The invisible bridge way:
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ip link set br0 up
/sbin/ip link set eth0 up # don't ask me why
/sbin/ip link set eth1 up # don't ask me why
#/sbin/ip addr add 192.168.0.6 brd + dev br0
#/sbin/route add default gw 192.168.0.1 dev br0 ##Only needed if eth2 hasn't allready set default gateway
# ebtables...
# example rule: block all ICMP
ebtables -F FORWARD
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP
#ebtables -A FORWARD -i eth0 -j DROP
##Here We allow SSH to pass through to the ssh server
#Incoming Connection From Internet #ebtables -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination ip-of-the-ssh-server -j ACCEPT
#Reply by the server To Internet #ebtables -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source ip-of-the-ssh-server -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.22 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.22 -j ACCEPT
##Allow squid server to access HTTP and HTTPS servers on standard ports.
#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --ip-source-port 80 -j ACCEPT
#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-destination-port 80 -j ACCEPT
#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --ip-source-port 443 -j ACCEPT
#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-destination-port 443 -j ACCEPT
##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 80 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 80 -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 443 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 443 -j ACCEPT
##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)
ebtables -A FORWARD -i eth0 -p ip --ip-source 192.168.0.22 -j DROP
ebtables -A FORWARD -i eth0 -j DROP
/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ip link set br0 up
/sbin/ip link set eth0 up # don't ask me why
/sbin/ip link set eth1 up # don't ask me why
#/sbin/ip addr add 192.168.0.6 brd + dev br0
#/sbin/route add default gw 192.168.0.1 dev br0 ##Only needed if eth2 hasn't allready set default gateway
# ebtables...
# example rule: block all ICMP
ebtables -F FORWARD
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP
#ebtables -A FORWARD -i eth0 -j DROP
##Here We allow SSH to pass through to the ssh server
#Incoming Connection From Internet #ebtables -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination ip-of-the-ssh-server -j ACCEPT
#Reply by the server To Internet #ebtables -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source ip-of-the-ssh-server -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.22 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.22 -j ACCEPT
##Allow squid server to access HTTP and HTTPS servers on standard ports.
#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --ip-source-port 80 -j ACCEPT
#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-destination-port 80 -j ACCEPT
#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --ip-source-port 443 -j ACCEPT
#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-destination-port 443 -j ACCEPT
##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 80 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 80 -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 443 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 443 -j ACCEPT
##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)
ebtables -A FORWARD -i eth0 -p ip --ip-source 192.168.0.22 -j DROP
ebtables -A FORWARD -i eth0 -j DROP
0
Comments
-
I am not an iptables expert and I am not sure about how you handle the ports 80 and 443 with those forward rules but how about simply doing something along the lines of:
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -m tcp --syn --dport 80 -j ACCEPT0 -
This is ebtables (ethernet bridge). It cannot use iptables and can't really screw with the protocal stuff IIRC (other than notice what proto is being used).0
-
Bridge chain: FORWARD, entries: 8, policy: DROP
-p IPv4 --ip-proto icmp -j DROP
-p IPv4 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-dport 22 -j ACCEPT
-p IPv4 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-sport 22 -j ACCEPT
-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 80 -j ACCEPT
-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 80 -j ACCEPT
-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 443 -j ACCEPT
-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 443 -j ACCEPT
-p IPv4 -i eth0 --ip-src 192.168.0.22 -j DROP
Why doesn't this work?0
Categories
- All Categories
- 238 LFX Mentorship
- 238 LFX Mentorship: Linux Kernel
- 812 Linux Foundation IT Professional Programs
- 365 Cloud Engineer IT Professional Program
- 183 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 129 Cloud Native Developer IT Professional Program
- 140 Express Training Courses & Microlearning
- 140 Express Courses - Discussion Forum
- Microlearning - Discussion Forum
- 6.5K Training Courses
- 40 LFC110 Class Forum - Discontinued
- 66 LFC131 Class Forum
- 49 LFD102 Class Forum
- 233 LFD103 Class Forum
- 16 LFD110 Class Forum
- 29 LFD121 Class Forum
- LFD123 Class Forum
- LFD125 Class Forum
- 16 LFD133 Class Forum
- 6 LFD134 Class Forum
- 18 LFD137 Class Forum
- 70 LFD201 Class Forum
- 3 LFD210 Class Forum
- 2 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 2 LFD237 Class Forum
- 23 LFD254 Class Forum
- 718 LFD259 Class Forum
- 111 LFD272 Class Forum - Discontinued
- 3 LFD272-JP クラス フォーラム
- 13 LFD273 Class Forum
- 213 LFS101 Class Forum
- 1 LFS111 Class Forum
- 2 LFS112 Class Forum
- 1 LFS116 Class Forum
- 3 LFS118 Class Forum
- LFS120 Class Forum
- 1 LFS142 Class Forum
- 2 LFS144 Class Forum
- 3 LFS145 Class Forum
- 4 LFS146 Class Forum
- 15 LFS148 Class Forum
- 15 LFS151 Class Forum
- 1 LFS157 Class Forum
- 6 LFS158 Class Forum
- LFS158-JP クラス フォーラム
- 4 LFS162 Class Forum
- 1 LFS166 Class Forum
- 2 LFS167 Class Forum
- 1 LFS170 Class Forum
- 1 LFS171 Class Forum
- 1 LFS178 Class Forum
- 2 LFS180 Class Forum
- 1 LFS182 Class Forum
- 3 LFS183 Class Forum
- 30 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 20 LFS203 Class Forum
- 109 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- 2 LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 55 LFS216 Class Forum
- 48 LFS241 Class Forum
- 43 LFS242 Class Forum
- 37 LFS243 Class Forum
- 16 LFS244 Class Forum
- 1 LFS245 Class Forum
- LFS246 Class Forum
- LFS248 Class Forum
- 44 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 156 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 6 LFS256 Class Forum
- LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 9 LFS258-JP クラス フォーラム
- 113 LFS260 Class Forum
- 150 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 21 LFS267 Class Forum
- 18 LFS268 Class Forum
- 29 LFS269 Class Forum
- 7 LFS270 Class Forum
- 199 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- 2 LFS147 Class Forum
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 2 LFW111 Class Forum
- 257 LFW211 Class Forum
- 176 LFW212 Class Forum
- 15 SKF100 Class Forum
- SKF200 Class Forum
- 2 SKF201 Class Forum
- 797 Hardware
- 198 Drivers
- 68 I/O Devices
- 37 Monitors
- 96 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 83 Storage
- 752 Linux Distributions
- 82 Debian
- 67 Fedora
- 16 Linux Mint
- 13 Mageia
- 23 openSUSE
- 147 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 349 Ubuntu
- 463 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 91 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 55 Mobile Computing
- 18 Android
- 28 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 364 Off Topic
- 115 Introductions
- 170 Small Talk
- 26 Study Material
- 518 Programming and Development
- 304 Kernel Development
- 211 Software Development
- 1.1K Software
- 211 Applications
- 180 Command Line
- 3 Compiling/Installing
- 405 Games
- 311 Installation
- 78 All In Program
- 78 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)