The ebtables program is a filtering tool for a Linux-based bridging firewall.
It enables transparent filtering of network traffic passing through a Linux bridge.
The filtering possibilities are limited to link layer filtering and some
basic filtering on higher network layers. Advanced logging,
MAC DNAT/SNAT and brouter facilities are also included.
The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.
Important note:
If you don't absolutely need to let those old machines (using the 802.2 or 803.2 Ethernet protocol) through the bridge, don't let them. Opening it up with the
Note: this can also be done using iptables. In iptables it would look like this:
If you have many such rules, you can also use the
Reference:Here
The ebtables tool can be combined with the other Linux filtering tools (iptables, ip6tables and arptables) to make a bridging firewall that is also capable of filtering these higher network layers. This is enabled through the bridge-netfilter architecture which is a part of the standard Linux kernel.
Basic filtering configuration:
ebtables -P FORWARD DROP ebtables -A FORWARD -p IPv4 -j ACCEPT ebtables -A FORWARD -p ARP -j ACCEPT ebtables -A FORWARD -p LENGTH -j ACCEPT ebtables -A FORWARD --log-level info --log-ip --log-prefix EBFW ebtables -P INPUT DROP ebtables -A INPUT -p IPv4 -j ACCEPT ebtables -A INPUT -p ARP -j ACCEPT ebtables -A INPUT -p LENGTH -j ACCEPT ebtables -A INPUT --log-level info --log-ip --log-prefix EBFW ebtables -P OUTPUT DROP ebtables -A OUTPUT -p IPv4 -j ACCEPT ebtables -A OUTPUT -p ARP -j ACCEPT ebtables -A OUTPUT -p LENGTH -j ACCEPT ebtables -A OUTPUT --log-level info --log-ip --log-arp --log-prefix EBFW -j DROPThis is a basic filter configuration which will only let frames made by the protocols IP version 4 and ARP through. Also, the network has some old machines that use the protocol field of the Ethernet frame as a length field (they use the Ethernet 802.2 or 802.3 protocol). There was no reason not to let those machines through, more precisely: there was a reason to let them through ;-). So, those frames, with protocol LENGTH denoting that it's really a length field, are accepted. Of course one could filter on the MAC addresses of those old machines so no other machine can use the old Ethernet 802.2 or 802.3 protocol. All other frames get logged and dropped. This logging consists of the protocol number, the MAC addresses, the ip/arp info (if it's an IP/ARP packet of course) and the in and out interfaces.
Important note:
If you don't absolutely need to let those old machines (using the 802.2 or 803.2 Ethernet protocol) through the bridge, don't let them. Opening it up with the
ebtables -A FORWARD -p LENGTH -j ACCEPT actually
breaches security if you're filtering IP bridge traffic with iptables: IP
traffic passing the bridge using the 802.2 or 802.3 Ethernet protocol
won't get filtered by iptables (it's on the todo list).Associate IP addresses to MAC addresse:
ebtables -A FORWARD -p IPv4 --ip-src 172.16.1.4 -s ! 00:11:22:33:44:55 -j DROPThis is an anti-spoofing filter rule. It says that the computer using IP address 172.16.1.4 has to be the one that uses ethernet card 00:11:22:33:44:55 to send this traffic.
Note: this can also be done using iptables. In iptables it would look like this:
iptables -A FORWARD -s 172.16.1.4 -m mac --mac-source ! 00:11:22:33:44:55 -j DROPThe difference is that the frame will be dropped earlier if the ebtables rule is used, because ebtables inspects the frame before iptables does. Also note the subtle difference in what is considered the default type for a source address: an IP address in iptables, a MAC address in ebtables.
If you have many such rules, you can also use the
among match to
speed up the filtering.
ebtables -N MATCHING-MAC-IP-PAIR ebtables -A FORWARD -p IPv4 --among-dst 00:11:22:33:44:55=172.16.1.4,00:11:33:44:22:55=172.16.1.5 \ -j MATCHING-MAC-IP-PAIRWe first make a new user-defined chain
MATCHING-MAC-IP-PAIR and we send all
traffic with matching MAC-IP source address pair to that chain, using the among
match. The filtering in the MATCHING-MAC-IP-PAIR chain can then assume that the
MAC-IP source address pairs are correct.
Making a brouter:
Here is an example setup for a brouter with the following situation: br0 with ports eth0 and eth1.ifconfig br0 0.0.0.0 ifconfig eth0 172.16.1.1 netmask 255.255.255.0 ifconfig eth1 172.16.2.1 netmask 255.255.255.0 ebtables -t broute -A BROUTING -p ipv4 -i eth0 --ip-dst 172.16.1.1 -j DROP ebtables -t broute -A BROUTING -p ipv4 -i eth1 --ip-dst 172.16.2.1 -j DROP ebtables -t broute -A BROUTING -p arp -i eth0 -d $MAC_OF_ETH0 -j DROP ebtables -t broute -A BROUTING -p arp -i eth1 -d $MAC_OF_ETH1 -j DROP ebtables -t broute -A BROUTING -p arp -i eth0 --arp-ip-dst 172.16.1.1 -j DROP ebtables -t broute -A BROUTING -p arp -i eth1 --arp-ip-dst 172.16.2.1 -j DROPAs mentioned in the man pages, the
DROP target in the BROUTING chain
actually broutes the frame. This means the bridge code won't touch
the frame and it is sent up to the higher network layers. This results
in the frame entering the box as if it didn't arrive on a bridge port
but on the device itself. Only forward IPv4 for a specific MAC address:
ebtables -A FORWARD -s 00:11:22:33:44:55 -p IPV4 -j ACCEPT ebtables -A FORWARD -s 00:11:22:33:44:55 -j DROP
Reference:Here
No comments:
Post a Comment