Welcome to the Linux Foundation Forum!

Bridge firewall that allows ssh in, and allows htt

Posts: 5
in Getting Started with Linux

Bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working :(

I'm trying to make a bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working :(

This is what I have so far. When I set the default policy to allow everything gets through, when deny nothing gets through:

Here is the net setup: squid/sshserver --> eth1 [firewall] eth0 ---> Internet

What is supposed to be allowed:

ssh server (port 22 TCP) <--eth1 [firewall] eth0 <--- Internet<br />
ssh/squidserver --> eth1 [firewall] eth0 --> Internet (ports 80 and 443 TCP)

What is supposed to be disallowed

(spoofed ip w/o proper squidserver mac address going out)

(anything else coming in)

(probably anything else going out aswell (maybe allow dns, dhcp)

Here is the ruleset right now:

ebtables -L

Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 8, policy: DROP

-p IPv4 --ip-proto icmp -j DROP

-p IPv4 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-dport 22 -j ACCEPT

-p IPv4 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-sport 22 -j ACCEPT

-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 80 -j ACCEPT

-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 80 -j ACCEPT

-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 443 -j ACCEPT

-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 443 -j ACCEPT

-p IPv4 -i eth0 --ip-src 192.168.0.22 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Here are the commands used:

###The invisible bridge way:

/usr/sbin/brctl addbr br0

/usr/sbin/brctl addif br0 eth0

/usr/sbin/brctl addif br0 eth1

/sbin/ip link set br0 up

/sbin/ip link set eth0 up # don't ask me why

/sbin/ip link set eth1 up # don't ask me why

#/sbin/ip addr add 192.168.0.6 brd + dev br0

#/sbin/route add default gw 192.168.0.1 dev br0 ##Only needed if eth2 hasn't allready set default gateway

# ebtables...

# example rule: block all ICMP

ebtables -F FORWARD

ebtables -P FORWARD DROP

ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP

#ebtables -A FORWARD -i eth0 -j DROP

##Here We allow SSH to pass through to the ssh server

#Incoming Connection From Internet #ebtables -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination ip-of-the-ssh-server -j ACCEPT

#Reply by the server To Internet #ebtables -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source ip-of-the-ssh-server -j ACCEPT

ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.22 -j ACCEPT

ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.22 -j ACCEPT

##Allow squid server to access HTTP and HTTPS servers on standard ports.

#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --i$

#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-des$

#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --i$

#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-des$

##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)

ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 80 -j ACCEPT

ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 80 -j ACCEPT

ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 443 -j ACCEPT

ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 443 -j ACCEPT

##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)

ebtables -A FORWARD -i eth0 -p ip --ip-source 192.168.0.22 -j DROP

#ebtables -A FORWARD -i eth0 -j DROP

#ebtables -A FORWARD -p ip -j DROP ## block everything else

#ebtables -A FORWARD -i eth0 -o eth1 -p ip -j DROP

The bridge works, but the filtering is either all or nothing :/

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Quick Links

Categories

Upcoming Training