IPv4 Fremnet Logo
TOOLS, TINKERINGS & CODE

Show your support

Firewall Bridge - Debian · Mar 12, 13:28 by Shannon Wynter

So, you’ve got an existing (somewhat complex) network, with a dsl/router
(or other such device) and the tought of reconfiguring all the router’s
routes and/or all the machines in your network and installing a
proxy/nat/firewall to control the access to the internet.

Enter option 2, a bridge.

Ok, I’ve only done this the once, and I’ve done it with debian, so that’s
what I’m going to show you… In fact, I’m going to show you step by step
how I did it.

Things you need:

  • A box with a functioning computer in it.
  • 2 or more network cards in said box.
  • A debian install CD (or CD’s) – I prefer sarge – Get it here
  • If you’re using netinst, a working connection to the internet is required… and a dhcp server wont go astray
  • An hour of spare time
  • A caffinated drink

Things you don’t need:

  • Help desk phone
  • Kids
  • Other sources of constant interruption

Ok lets get started

Step 1 -=- Install Debian
Doesn’t realy matter how you partition it, just make sure you have enough room for a squid cache.
You don’t need to select any Tasks on the “Task Selection Screen”.

Step 2 -=- Install all the required bits
Ok, once you’ve got debian installed we’ll start apt-getting
[root@localhost root]# apt-get install kernel-2.6.8 kernel-source-2.6.8 iptables bridge-tools
You don’t have to use kernel 2.6.8, it’s just the one I used

We’ll get to installing squid now
[root@localhost root]# apt-get install squid

Step 3 -=- Install the optional bits
Unless you intend to use vi to do all your editing, you should install
your prefered editor now… I prefer mcedit
[root@localhost root]# apt-get install mc

Step 4 -=- Reboot into our new kernel
[root@localhost root]# reboot

Step 5 -=- Lets get started with the configuration
Create a file, something like br.sh and start editing it

  1. #!/bin/sh
  2.  
  3. BRCTL="/usr/sbin/brctl"
  4. IPTABLES="/sbin/iptables"
  5. IFCONFIG="/sbin/ifconfig"
  6. ROUTE="/sbin/route"
  7. SED="/bin/sed"
  8. IF1="eth0"
  9. IF2="eth1"
  10. BRIDGE="br0"
  11. BRIDGEIP="192.168.0.253/24"
  12. GATEWAY="192.168.0.1"
  13. LAN=$BRIDGEIP
  14.  
  15. # We need to split the /* off the IP address so we can use it our own way
  16. # % is used cos some sh's don't like /'s
  17. oIFS="${IFS}"
  18. IFS='%'
  19. set - `echo ${BRIDGEIP} | ${SED} -e 's@/@%@g' -e 's@^%@/@'`
  20. IFS="${oIFS}"
  21. IP=${1}
  22.  
  23. # Make sure there's no bridge running - if there is, we'll assume we're
  24. # working on our firewall scripts
  25. echo "Checking for bridge"
  26. CHECK=`ifconfig ${BRIDGE} | grep ${IP}`
  27.  
  28. if ! [ -z "$CHECK" ]; then
  29. # Yeh ok, there's a bridge, lets be paranoid and start from scratch
  30. # It's not the most efficient way (as it takes quite a bit of time
  31. # to re-start the bridge) but it's the safest
  32. echo "Bridge Detected - Cleaning slate"
  33.  
  34. # Drop the route
  35. $ROUTE del default gw $GATEWAY
  36.  
  37. # Flush the tables
  38. $IPTABLES -t nat -F
  39. $IPTABLES -F
  40.  
  41. #Shut down the interfaaces
  42. $IFCONFIG $BRIDGE down
  43. $IFCONFIG $IF1 down
  44. $IFCONFIG $IF2 down
  45.  
  46. # Make like the military and destroy the bridge
  47. $BRCTL delif $BRIDGE $IF1
  48. $BRCTL delif $BRIDGE $IF2
  49. $BRCTL delbr $BRIDGE
  50. fi
  51.  
  52. # Dunno if we actualy use this, but damn sure it's better in then out
  53. echo "1" > /proc/sys/net/ipv4/ip_forward
  54.  
  55. # Ok, lets get to building a bridge
  56. $BRCTL addbr $BRIDGE
  57.  
  58. # We probably don't need stp, if you have more then one bridge
  59. # I suggest you invest time into thinking about stp
  60. $BRCTL stp $BRIDGE off
  61.  
  62. # Add some interfaces to our bridge
  63. $BRCTL addif $BRIDGE $IF1
  64. $BRCTL addif $BRIDGE $IF2
  65.  
  66. # Now that we're over that, we'll bring up the interfaces
  67. $IFCONFIG $IF1 up
  68. $IFCONFIG $IF2 up
  69. $IFCONFIG $BRIDGE $BRIDGEIP up
  70.  
  71. # Add a route
  72. $ROUTE add default gw $GATEWAY
  73.  
  74. # Save some typing
  75. INPUT="${IPTABLES} -A INPUT"
  76.  
  77. # Now, we havn't put all this effort in to be insecure, so we'll drop all incomming
  78. # packets by default
  79. $IPTABLES -P INPUT DROP
  80.  
  81. # We better let established and related packets in, or we might not do much talking
  82. $INPUT -d ${IP}/32 -m state --state ESTABLISHED,RELATED -j ACCEPT
  83.  
  84. # SSH is handy for remote administration, for the love of god either use a sshkey or
  85. # a realy good password (both preferably)
  86. $INPUT -p TCP -d ${IP}/32 --destination-port 22 -j ACCEPT
  87.  
  88. # Ok, I'm to lazy to look up ICMP codes, so we'll just let all ICMP in
  89. $INPUT -p ICMP -d ${IP}/32 -j ACCEPT
  90.  
  91. # Explicitly allow traffic into squid - without this the traffic wanders off into
  92. # the other side of the bridge
  93. $INPUT -i $BRIDGE -p TCP -d ${IP}/32 -s $LAN --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
  94.  
  95. # Save on typing
  96. FORWARD="${IPTABLES} -A FORWARD"
  97.  
  98. # Now, we havn't put all this effort in to be insecure, so we'll drop all forwarded
  99. # packets by default
  100. $IPTABLES -P FORWARD DROP
  101.  
  102. # We better let established and related packets through, or we might not do much talking
  103. $FORWARD -d $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
  104.  
  105. # Ok, I'm to lazy to look up ICMP codes, so we'll just let all ICMP through
  106. $FORWARD -p ICMP -s $LAN -j ACCEPT
  107.  
  108. # Permit ssh traffic
  109. $FORWARD -p TCP -s $LAN --destination-port 22 -j ACCEPT
  110.  
  111. # Permit DNS traffic - you and I might be fine with IP addresses but normal
  112. # people prefer the friendly name
  113. $FORWARD -p UDP -s $LAN --destination-port 53 -j ACCEPT
  114.  
  115. # Let SMTP, POP3, and IMAP in for all our mail tasks
  116. $FORWARD -p TCP -s $LAN --destination-port 25 -j ACCEPT
  117. $FORWARD -p TCP -s $LAN --destination-port 110 -j ACCEPT
  118. $FORWARD -p TCP -s $LAN --destination-port 143 -j ACCEPT
  119.  
  120. # Let ftp through, you might want to remove it
  121. $FORWARD -p TCP -s $LAN --destination-port 21 -j ACCEPT
  122.  
  123. # Let https through, we can't do much to transparently proxy this
  124. $FORWARD -p TCP -s $LAN --destination-port 443 -j ACCEPT
  125.  
  126. # Set up the transparent proxy
  127. $IPTABLES -t nat -A PREROUTING -i $BRIDGE -p tcp --dport 80 -j REDIRECT --to-port 3128
  128.  
  129. # Add your own rules below here
  130. $IPTABLES -I FORWARD -p TCP -d 192.168.0.2 --destination-port 5190 -j ACCEPT
  131.  
  132. Download this code: br.sh (Downloaded 161 time(s))

Ok, now we save that file somewhere convenient (I like to make a scripts dir in / and put my scripts in there) and then
[root@localhost root]# chmod +x br.sh

Step 6 -=- Configure your squid
Ok, now that’s beyond the scope of this document, but basicly you just need to let your network out.

Step 7 -=- Make it happen on boot
We cheat here… there’s so much we should do with this script, but as this is pretty much a dedicated system you can cheat.
[root@localhost root]# ln -s /scripts/br.sh /etc/rc2.d/S99br.sh

After another reboot we should be running our firewall bridge.

Note: you might want to remove all the interface info for the eth’s you used from /etc/network/interfaces otherwise you will probably run into issue.

Comments

Spam no more - rel=nofollow is active here, spamming my comments will not help your page rank.

  Textile help
---== Copyright Shannon Wynter - All rights reserved - All wrongs avenged ==---