Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 59 Bridging with a Firewall

Regain control over your Layer 2 bridge with
iptables and ebtables.

As we saw in
the previous hack [Hack #58], creating an
Ethernet-to-wireless bridge is very straightforward. While this
allows for very easy integration with your existing network, it
isn't always the best decision from a security point
of view. Rather than simply connect two networks together at Layer 2,
wouldn't it be nice to be able to tightly control
the flow of packets between the two networks?

You might think that you could simply use
iptables to
control network access, as you normally would with any other network
device. In the experimental Linux 2.5 kernels, this is the case. But
when 802.1d bridging is in effect in Linux 2.4, the
netfilter code never sees bridged
packets. In order to make traffic visible to standard firewall tools,
you'll have to patch your kernel.

There are two Linux 2.4 patches available that
allow you to manipulate your bridge as a firewall:
ebtables and bridge-nf. The
first patch implements ebtables, a new packet
filter specifically designed for Ethernet bridges. The second
provides netfilter functionality for your bridge, so you can
manipulate it using iptables. Both patches are
available at http://ebtables.sourceforge.net/. While
you're there, be sure to grab a copy of the
ebtables utilities as well.

If you're running Linux 2.5 or later,
you're in luck. Both ebtables
and bridge-nf are now built into the kernel, so
you don't have to patch your kernel.

Patching the Linux 2.4 Kernel

Extract a
clean copy of Linux 2.4.20, and patch
your kernel source by doing the following:

rob@florian:/usr/local/src$ tar jvxf ~/linux-2.4.20.tar.bz2
rob@florian:/usr/local/src$ patch -p0 < ~/ebtables-v2.0.003_vs_2.4.20.diff
patching file linux-2.4.20/net/bridge/br_private.h
patching file linux-2.4.20/include/linux/if_bridge.h
patching file linux-2.4.20/net/core/dev.c
...
rob@florian:/usr/local/src$ patch -p0 < ~/bridge-nf-0.0.10-against[RETURN]
-2.4.20.diff
patching file linux-2.4.20/include/linux/netfilter.h
patching file linux-2.4.20/include/linux/netfilter_ipv4.h
patching file linux-2.4.20/include/linux/netfilter_bridge.h
...
rob@florian:/usr/local/src$

This assumes that you put your kernel sources in
/usr/local/src/, and that the patches are in
your home directory, but feel free to keep your code wherever you
like. Now that your kernel source is patched, configure and build
your kernel as you normally would. Be sure to include 802.1d Ethernet
Bridging (CONFIG_BRIDGE) when you configure it.

Setting Up a Firewall

With your new kernel installed, you can now manipulate the firewall
exactly as you would expect using
iptables. You can also use
ebtables to do all sorts of interesting things
at the MAC layer. For example, to ignore all
traffic from a given IP that doesn't match a known
MAC address, you could try this:

# ebtables -A FORWARD -p IPv4 --ip-src 10.15.6.10 -s ! 00:30:65:FF:AA:BB [RETURN]
-j DROP

This prevents other users from
"camping" on known IP
addresses. While it won't help much with MAC
spoofing attacks, this will help keep
average users from stepping on other people's IP
addresses. You can also use it in reverse to lock a MAC address into
a particular IP:

# ebtables -A FORWARD -p IPv4 --ip-src  ! 10.15.6.10 -s 00:30:65:FF:AA:BB [RETURN]
-j DROP

This will prohibit the machine with the specified MAC address from
using any IP but 10.15.6.10.

These are just a couple of
examples of the power and flexibility of
ebtables. You can also do all sorts of neat
things like MAC redirection and
NAT, or filter on protocol types (need to
drop all IPv6 traffic? No problem!). For more information, check out
the ebtables web site as well as
man ebtables.