Ebtables and Netfilter
Introduction:
The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge. The filtering possibilities are limited to link layer filtering and some basic filtering on higher network layers. Advanced logging, MAC DNAT/SNAT and brouter facilities are also included.
The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel. - Ebtables only work on bridged interface.
Q.How to bridge two interfaces ?
brctl is the tool for interface bridging.
#brctl addbr br0 // add bridge br0
#ifconfig eth0 0.0.0.0 // reomove eth0’s IP
#ifconfig eth1 0.0.0.0 // reomove eth1’s IP
#brctl addif br0 eth1 // add eth1 to bro
#brctl addif br0 eth0 // add eth0 to bro
#brctl show //see bridge br0 configuration
#brctl stp br0 on // stp(spinning tree protocol) on
#ifconfig br0 192.168.0.254 up // bridge up
you can ping the bridge now.
Q.What can we do with ebtables and netfilter ?
- Ethernet protocol filtering.
- MAC address filtering.
- Simple IP header filtering.
- ARP header filtering.
- 802.1Q VLAN filtering.
- In/Out interface filtering (logical and physical device).
- MAC address nat.
- Logging.
- Frame counters.
- Ability to add, delete and insert rules; flush chains; zero counters.
- Brouter facility.
- Ability to atomically load a complete table, containing the rules you made, into the kernel. See the man page and the examples section.
- Support for user defined chains.
- Support for marking frames and matching marked frames
- Basic Examples :
1) Drop/Allow everything
ebtables -P FORWARD DROP/ACCEPT
-P for policy
-A for append rule in chain
It will drop/allow all traffic going through bridge
you can flush out all ebtable rule by using
ebtables -F
- HOW Configure a Bridging Ebtables Firewall ?
2) Basic filter on IP
FORWARD chain policy must be ACCEPT
#ebtables -P FORWARD ACCEPT
#ebtables -I FORWARD -p Ipv4 --ip-src 192.168.0.2 -j ACCEPT // Allow 192.168.0.2
#ebtables -I FORWARD -p Ipv4 --ip-src 192.168.0.3 -j ACCEPT // Allow 192.168.0.3
#ebtables -A FORWARD -p Ipv4 --ip-src 192.168.0.0/24 -j DROP //Drop all 192.162.0.0/24
-I insert rule on top of all
-A appends rule at the end
- Remember DROP “ rule” must be at the end
You can check rule's order by ,
#ebtables -L
- To delete any specific rule
ebtables -D FORWARD 4 // delete rule no 4 from FORWARD chain
3)How to filtert ports and protocols ?
problem . suppose we want to allow http and icmp traffic on two IP’s namely. 192.168.0.2 and 192.168.0.3 . the rules will look like this.
#ebtables -P FORWARD DROP // Change the forward policy to drop all
# ebtables -A FORWARD -p 0x806 -j ACCEPT // Allow arp traffic
# ebtables -A FORWARD -p 0x800 --ip-dst 192.168.0.2 --ip-proto tcp --ip-sport 80 -j ACCEPT // allow packets having 192.168.0.2 as destination
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-proto tcp --ip-dport 80 -j ACCEPT // allow packets having 192.168.0.2 as source
# ebtables -A FORWARD -p 0x800 --ip-dst 192.168.0.3 --ip-proto tcp --ip-sport 80 -j ACCEPT
// allow packets having 192.168.0.3 as destination
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.3 --ip-proto tcp --ip-dport 80 -j ACCEPT // allow packets having 192.168.0.3 as source
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-proto icmp -j ACCEPT // allow ping
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.3 --ip-proto icmp -j ACCEPT // allow ping
Now to allow DNS requests ,suppose 192.168.0.1 is our name server .we allow dns to 192.168.0.2 only.
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-dst 192.168.0.1 --ip-proto udp --ip-dport 53 -j ACCEPT
# ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.2 --ip-dst 192.168.0.1 --ip-proto udp --ip-sport 53 -j ACCEPT
- Protocol hex descriptions
protocol value Description
0x800 IP
0x806 ARP
Have fun!
No comments:
Post a Comment