Re: [Bridge] Bridge & iptables: filtering for bridge host

Chuck Bearden Thu, 31 Jan 2002 19:11:44 -0800

On Wed, 30 Jan 2002, Chuck Bearden wrote:

> On Wed, 30 Jan 2002, Lennert Buytenhek wrote:
> 
> > On Wed, Jan 30, 2002 at 12:34:17AM -0600, Chuck Bearden wrote:
> > 
> [...]
> > 
> > > David Whitmarsh's sample script 
> > > (http://www.sparkle-cc.co.uk/firewall/rc.firewall.sh.txt) is 
> > > interesting, but he only specifies his bridging interface (not either 
> > > of the NICs) with '-i' in the rules governing traffic to his bridge.
> > 
> > If you specify '-i br0', it will match traffic from all subinterfaces (i.e.
> > the combined effect of '-i eth0', '-i eth1', etc.)
> 
> Excellent! I suspect that this is what I needed to know.
>  
> > > Anyway, no packets from the outside ever match the br_ext or br_int 
> > > rules, regardless of the interface they arrive on.  All packets fall 
> > > through to the '-i $BR_IF -j ACCEPT' rule.
> > 
> > What if you log the packets with a LOG rule?  You should see something
> > like this in your log output "IN=br0 PHYSIN=eth0"
> 
> I verified my finding by checking byte/packet counters in 
> 
>   'iptables -nL --verbose'
> 
> I will explicitly log and report results if I can't make your 
> information from above work.
> 
> Thanks for your work on Linux bridging!
> Best wishes,
> Chuck


(Debian Potato r4 with Adrian Bunk's 2.4 kernel packages; two NICs, 
 br0 has IP address)

Well, I'm still not doing something right.  At this point I'm only 
concerned with traffic to & from the bridging host itself.  I've 
stopped using the -t mangle PREROUTING chain for that filtering and 
am doing everything in INPUT.  I still can't match interface-specific 
rules for eth0/1.  Basically, my INPUT chain looks like this:

# rules applying only to eth1
$IPTABLES -A INPUT -i $EXT_IF -j br_ext
# rules applying only to eth0
$IPTABLES -A INPUT -i $INT_IF -j br_int
# rules applying to all interfaces on bridge host
$IPTABLES -A INPUT -i $BR_IF -j br_all
# log & drop all else
$IPTABLES -A INPUT -j br_log_drop

Full script appended.  All packets destined for bridge host fail to 
match the rules that jump to the br_ext and br_int chains.  Here are 
example logs:

Jan 31 18:01:19 public09 kernel: br_host: IN=br0 OUT= 
MAC=00:11:22:33:ff:ee:dd:e0:44:55:66:aa:bb:cc SRC=172.20.38.174 DST=172.20.37.9 LEN=60 
TOS=0x00 PREC=0x00 TTL=63 ID=48464 DF PROTO=TCP SPT=2740 DPT=22 WINDOW=16060 RES=0x00 
SYN URGP=0 
Jan 31 18:01:22 public09 kernel: br_host: IN=br0 OUT= 
MAC=00:11:22:33:ff:ee:dd:e0:44:55:66:aa:bb:cc SRC=172.20.38.174 DST=172.20.37.9 LEN=60 
TOS=0x00 PREC=0x00 TTL=63 ID=48467 DF PROTO=TCP SPT=2740 DPT=22 WINDOW=16060 RES=0x00 
SYN URGP=0 

I don't see any 'PHYSIN=eth1' section in the log lines, which makes 
me suspicious.  These two packets arrived on eth1 ($EXT_IF).  You can 
see from the logging prefix ('br_host') that they made it to the 
br_log_drop chain.  Byte/packet counters indicate that they traversed 
the 'br_all' chain but not the 'br_ext' chain, where the rule is that 
ACCEPTs traffic from 172.20.38.174.

All useful advice, pointers, and chastisement welcome.

Thanks,
Chuck

### Start of script ###
#!/bin/sh
EXT_IF=eth1
INT_IF=eth0
BR_IF=br0
LOCAL_NET=172.20.37.0/24
LOCAL_BROAD=172.20.37.255
BR_ADDR=172.20.37.9
PRIV_NETS='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16'
ADMIN_LAN=172.20.38.0/24
OUR_NETS="$LOCAL_NET $ADMIN_LAN"
ADMIN_ACCESS_BRIDGE='172.20.38.174 172.20.4.0/24'
DNS_SERVERS='172.20.19.20 172.20.4.14'
NTP_SERVERS=172.20.4.14

#
# reinitialize chains
#
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t mangle

#
# set policies
#
for CHAIN in INPUT FORWARD; do
  $IPTABLES -P $CHAIN DROP
done
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# initialize utility chains
# (the are defined at the end of the script)
#
$IPTABLES -N rfc1918
$IPTABLES -N bad_addr

#--------------------------------------------------
# THE BRIDGE ITSELF
#--------------------------------------------------

# enable loopback traffic (defined below)
$IPTABLES -A INPUT -i lo -j ACCEPT

# initialize bridge chains
$IPTABLES -N br_all
$IPTABLES -N br_ext
$IPTABLES -N br_int
$IPTABLES -N br_log_drop

$IPTABLES -A INPUT -i $EXT_IF -j br_ext
$IPTABLES -A INPUT -i $INT_IF -j br_int
$IPTABLES -A INPUT -i $BR_IF -j br_all
$IPTABLES -A INPUT -j br_log_drop

#
# Not interface-specific: br_all
#

# stop spoofing from RFC 1918 addresses
for NET in $PRIV_NETS; do
  $IPTABLES -A br_all -s $NET -j rfc1918
done

# accept broadcasts from local net
$IPTABLES -A br_all -s $LOCAL_NET -d $LOCAL_BROAD -j ACCEPT
$IPTABLES -A br_all -s $LOCAL_NET -d 255.255.255.255 -j ACCEPT
# silently deny from 0.0.0.0, since it also matches any address
$IPTABLES -A br_all -d 0.0.0.0 -j DROP
# silently (unlogged) drop multicast
$IPTABLES -A br_all -d 224.0.0.0/8 -j DROP
# silently (unlogged) drop stupid packets from local net
$IPTABLES -A br_all -d 239.0.0.0/8 -j DROP
# stop packets to bridge but not to bridge IP (if any)
# $IPTABLES -A br_all -d ! $BR_ADDR -j bad_addr

# accept established streams
$IPTABLES -A br_all -m state --state ESTABLISHED,RELATED -j ACCEPT

# accept certain classes of ICMP
for ICMP in 0 3 5 11; do
  $IPTABLES -A br_all -p icmp -m icmp --icmp-type $ICMP -j ACCEPT
done

# accept echo requests from our nets
for NET in $OUR_NET; do
  $IPTABLES -A br_all -s $NET -p icmp -m icmp --icmp-type 8 -j ACCEPT
done
# accept NetBIOS name replies from our net
$IPTABLES -A br_all -p udp -s $LOCAL_NET --sport 137 -j ACCEPT
# reset identd requests
$IPTABLES -A br_all -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset

#
# External interface
#
# accept DNS from accepted servers (unnecessary because of state above?)
# accept NTP from accepted servers (unnecessary because of state above?)
# accept all traffic from admin hosts
for NET in $ADMIN_ACCESS_BRIDGE; do
  $IPTABLES -A br_ext -s $NET -j ACCEPT
done

#
# Internal interface
#

# define log_drop chain for bridge
$IPTABLES -A br_log_drop -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix 
"br_host: "
$IPTABLES -A br_log_drop -j DROP

#--------------------------------------------------
# FROM OUTSIDE IN
#--------------------------------------------------

# TBD

#--------------------------------------------------
# FROM INSIDE OUT
#--------------------------------------------------

# TBD

#--------------------------------------------------
# DEFINE LOG-DROP CHAINS
#--------------------------------------------------

$IPTABLES -A bad_addr -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix 
"Bad dst addr: "
$IPTABLES -A bad_addr -j DROP

$IPTABLES -A rfc1918 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix 
"RFC1918 addr: "
$IPTABLES -A rfc1918 -j DROP



_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge

Re: [Bridge] Bridge & iptables: filtering for bridge host

Reply via email to