Solved

bridge firewall on redhat 7.1

Posted on 2001-07-17
33
341 Views
Last Modified: 2010-03-18
the bridge is running good, but i dont think the ipchains brctl doesn't support iptables)is running bcoz all the packets still can going through even i deny all the outgoing/incoming packet.. anybody know how to set it on redhat 7.1 kernel 2.4.2? thanks


0
Comment
Question by:ichen
  • 15
  • 13
  • +3
33 Comments
 
LVL 4

Expert Comment

by:kannabis
Comment Utility
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 200 total points
Comment Utility
Please post your ipchains rulesets (feel free to [consistently] munge the IPs if you don't want to reveal them to us).  

Also, the output of 'netstat -nr' and the output of 'netstat -ni' would be most helpful.

I've done this on older linux boxes, but not with recent kernels.  

In the past, if you wish to restrict bridged traffic, each interface on which you wish to restrict traffic must have an assigned IP address.  Perhaps this is the problem?

-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
the problem is.. i droped all incomine, outgoing and forwarding packet
i used ipchains (-P) INPUT,OUTPUT,FORWARD -j DENY
(i think it was -P)
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Can you confirm or deny that you have IP addresses assigned to the bridged interfaces?

Thanks,
-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
no i dont have ip assigned on the bridged interface.. all is broadcast 0.0.0.0
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
That is almost certainly the problem - you need to assign IP addresses to the interfaces in order to be able to filter traffic using ipchains.

-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
can u give me examples?
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Set them up as you would any other IP interface...

I guess I'm not sure what you're asking.

-Jon
0
 
LVL 1

Author Comment

by:ichen
Comment Utility
no.. i want to use bridge and combine it with firewall
i shouldn't set ip for the interface...
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Then you will have to assign IPs to the interfaces.

I'm having problems envisioning a scenario in which you actually need to bridge IP - you generally only need to do that for other protocols, since IP is entirely routeable.  

Please explain further what you are trying to do, and I will point you in the right direction.

-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
i need the bridge-firewall, becos from what i know, with bridge-firewall you can just plug the firewall to your network and then all the network will behind the firewall without changing any route...

INTERNET
    |
   LAN


i was successed installing the bridge, and it was runnng

INTERNET
   |
  bridge
   |
  LAN

but when i implement the firewall inside, it's not working, then i patched (bridge firewall release the patch for 2.4.6 kernel)... but it's still not working..

so i maybe wrong on the firewall rules..
to test the firewall is working or not.. on the firewall rules i dropped all the packets incoming and outgoing..
then from the LAN, i tried to ping outside... it's still go through... that's mean the firewall didn't drop the packets...
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Your bridge is behaving as it should with no assigned IP interfaces.  The best solution I've seen is to knuckle down and just set up routing for two IP subnets, and let the bridge handle thre rest.  A nice benefit of this is that the bridge will still propagate broadcasts, making such obnoxious things as WINS servers, etc unnecessary for brainless IP protocols that were actually built around a single-segment mindset.

I admit that needing IP interfaces on your bridge seems silly if you've dealt with other bridges that allow the sort of config you are wanting (I know I have).  I guess if you can't stand to implement routing, then you might want to send some mail to the kernel developers suggesting that they unify the bridging code with the packet-filtering parts of the kernel.

A final option might be to use some of the more advanced options to iptables (PREROUTING, etc) and see if you can intercept the packets that way (as I said, most of my experience in this area has been on older kernels, which did not support iptables, so I am uncertain of the possibilities here)

-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
can u give me the examples? i really really have no idea..
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Assumptions:
Network A (eth0) = 192.168.20.0/24
Network B (eth1) = 192.168.40.0/24

Config:
ifconfig eth0 192.168.20.1 netmask 255.255.255.0 up
ifconfig eth1 192.168.40.1 netmask 255.255.255.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward

On just about all modern versions of linux, the direct routes to networks A and B will be entered automatically when you run ifconfig.  After that, just enable bridging on the interfaces, and add the appropriate ipchains rulesets.  Just make sure that your machines in Network A have a route through the bridge/router to Network B, and that your machines in Network B have a route through the bridge/router to Network A (or you could just add a default route on all machines pointing to the appropriate IP address on the bridge/router).

-Jon


0
 
LVL 1

Author Comment

by:ichen
Comment Utility
how about the bridge interface? should i put ip on the bridge interface too?
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
I must apologize for criticizing the non-unification of bridging with ipchains - looks like I spoke too soon...

This URL should have all the info you need to do exactly what you want:

http://www.linuxdoc.org/HOWTO/BRIDGE-STP-HOWTO/advanced-bridge.html#IPCHAINS

Let me know if you require further assistance...

-Jon

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:ichen
Comment Utility
i tried b4... but i only set ip to the bridge... i haven't set ip to the network interface.... maybe that's the problem
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
I don't think you should have to re-configure your network interfaces if you use the bridge patch at the URL I mentioned above.  It seems to enable ipchains rulesets to restrict bridged traffic without having to assign IP addresses to the interfaces.

-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
but the patches only work on linux kernel 2.2.?
(i think so)
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
It's there - you just need to dig a bit.

http://bridge.sourceforge.net/devel/bridge-nf/

-Jon
0
 
LVL 1

Author Comment

by:ichen
Comment Utility
i tried before... still got problem :(
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
How so?

-Jon
0
 
LVL 1

Author Comment

by:ichen
Comment Utility
no idea.. that's why i ask :P
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
If you want, I can tell you how do make it work using routing instead of bridging (if you're having problems with the patches)

-Jon

0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
Did you find the patches for the 2.4 kernel at the URL I posted?

If so, how did it go when you tried to apply the patches?

-Jon
0
 
LVL 1

Author Comment

by:ichen
Comment Utility
it's the same...
the packet still going through, i used iptables
i used this

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

:(
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
So, you patched your kernel, recompiled it, and it still does not work?

-Jon

0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
This URL seems to have a good description of what to do...

http://www.math.leidenuniv.nl/pipermail/bridge/2001-July/000478.html


Don't forget to create a chain that has the same name as your bridge group (presumably br0) in order to restrict traffic.

-Jon

0
 
LVL 1

Author Comment

by:ichen
Comment Utility
yes.. my chain got the same name with the bridge
0
 
LVL 1

Expert Comment

by:Moondancer
Comment Utility
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> You cannot delete a question with comments, special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process for further information, if needed.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, to track all your open and locked questions at this site.  If you are an EE Pro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer but does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item in the future to seek help.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.11695018.html
http://www.experts-exchange.com/questions/Q.11804938.html
http://www.experts-exchange.com/questions/Q.20074504.html
http://www.experts-exchange.com/questions/Q.20082519.html
http://www.experts-exchange.com/questions/Q.20090047.html
http://www.experts-exchange.com/questions/Q.20093568.html
http://www.experts-exchange.com/questions/Q.20152586.html
http://www.experts-exchange.com/questions/Q.20177650.html
http://www.experts-exchange.com/questions/Q.20250623.html


To view your locked questions, please click the following link(s) and evaluate the proposed answer.
http://www.experts-exchange.com/questions/Q.20007251.html
http://www.experts-exchange.com/questions/Q.20081842.html
http://www.experts-exchange.com/questions/Q.20101997.html

PLEASE DO NOT AWARD THE POINTS TO ME.  
 
------------>  EXPERTS:  Please leave any comments regarding your closing recommendations if this item remains inactive another seven (7) days.  Also, if you are interested in the cleanup effort, please click this link http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643

Moderators will finalize this question if still open in 7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange

P.S.  For any year 2000 questions, special attention is needed to ensure the first correct response is awarded, since they are not in the comment date order, but rather in Member ID order.
0
 

Expert Comment

by:CleanupPing
Comment Utility
ichen:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 7

Expert Comment

by:troopern
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept The--Captain's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

troopern
EE Cleanup Volunteer


0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now