Bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working



I'm trying to make a bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working

This is what I have so far. When I set the default policy to allow everything gets through, when deny nothing gets through:

Here is the net setup: squid/sshserver --> eth1 [firewall] eth0 ---> Internet

What is supposed to be allowed:
ssh server (port 22 TCP) <--eth1 [firewall] eth0 <--- Internet
ssh/squidserver --> eth1 [firewall] eth0 --> Internet (ports 80 and 443 TCP)

What is supposed to be disallowed
(spoofed ip w/o proper squidserver mac address going out)
(anything else coming in)
(probably anything else going out aswell (maybe allow dns, dhcp)

Here is the ruleset right now:
ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 8, policy: DROP
-p IPv4 --ip-proto icmp -j DROP
-p IPv4 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-dport 22 -j ACCEPT
-p IPv4 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-sport 22 -j ACCEPT
-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 80 -j ACCEPT
-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 80 -j ACCEPT
-p IPv4 -d 0:8:d:54:13:c9 -i eth0 -o eth1 --ip-dst 192.168.0.22 --ip-proto tcp --ip-sport 443 -j ACCEPT
-p IPv4 -s 0:8:d:54:13:c9 -i eth1 -o eth0 --ip-src 192.168.0.22 --ip-proto tcp --ip-dport 443 -j ACCEPT
-p IPv4 -i eth0 --ip-src 192.168.0.22 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT


Here are the commands used:

###The invisible bridge way:

/usr/sbin/brctl addbr br0
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
/sbin/ip link set br0 up
/sbin/ip link set eth0 up # don't ask me why
/sbin/ip link set eth1 up # don't ask me why
#/sbin/ip addr add 192.168.0.6 brd + dev br0
#/sbin/route add default gw 192.168.0.1 dev br0 ##Only needed if eth2 hasn't allready set default gateway

# ebtables...
# example rule: block all ICMP
ebtables -F FORWARD
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP
#ebtables -A FORWARD -i eth0 -j DROP

##Here We allow SSH to pass through to the ssh server
#Incoming Connection From Internet #ebtables -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination ip-of-the-ssh-server -j ACCEPT
#Reply by the server To Internet #ebtables -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source ip-of-the-ssh-server -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.22 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.22 -j ACCEPT

##Allow squid server to access HTTP and HTTPS servers on standard ports.
#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --i$
#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-des$
#Incoming Packets From HTTP Server on Internet# ebtables -i eth0 -o eth1 -p ip --ip-destination squidserver -d macaddress-of-squidserver --ip-proto tcp --i$
#Outgoing Packets From Clients on School Network# ebtables -i eth1 -o eth0 -p ip --ip-source squidserver -s macaddress-of-squidserver --ip-proto tcp --ip-des$
##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 80 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 80 -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.22 -d 00:08:0D:54:13:C9 --ip-proto tcp --ip-source-port 443 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.22 -s 00:08:0D:54:13:C9 --ip-proto tcp --ip-destination-port 443 -j ACCEPT
##Anti-spoofing rule (Only matches the IP address of squidserver, not MAC address)
ebtables -A FORWARD -i eth0 -p ip --ip-source 192.168.0.22 -j DROP

#ebtables -A FORWARD -i eth0 -j DROP
#ebtables -A FORWARD -p ip -j DROP ## block everything else
#ebtables -A FORWARD -i eth0 -o eth1 -p ip -j DROP


The bridge works, but the filtering is either all or nothing :/

I'm trying to make a bridge firewall that allows ssh in, and allows http/https out, but nothing else... ebtable ruleset isn't working Sad

This is what I have so far. When I set the default policy to allow everything gets through, when deny nothing gets through:

Here is the net setup: squid/sshserver --> eth1 [firewall] eth0 ---> Internet

What is supposed to be allowed:
ssh server (port 22 TCP) <--eth1 [firewall] eth0 <--- Internet
ssh/squidserver --> eth1 [firewall] eth0 --> Internet (ports 80 and 443 TCP)

What is supposed to be disallowed
(spoofed ip w/o proper squidserver mac address going out)
(anything else coming in)
(probably anything else going out aswell (maybe allow dns, dhcp)



This blocks EVERYTHING. It COMPLETELY IGNORES THE RULESET!!!!!!!!!!!!!!!!!!!!!!!!!1

Code: Select all

ebtables -F FORWARD
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP

ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-proto tcp --ip-destination-port 22 --ip-destination 192.168.0.21 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-proto tcp --ip-source-port 22 --ip-source 192.168.0.21 -j ACCEPT

ebtables -A FORWARD -p ip --ip-src 192.168.0.21 -s ! 00:08:0D:54:13:C9 -j DROP
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.21 --ip-proto tcp --ip-source-port 80 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.21 --ip-proto tcp --ip-destination-port 80 -j ACCEPT
ebtables -A FORWARD -i eth0 -o eth1 -p ip --ip-destination 192.168.0.21 --ip-proto tcp --ip-source-port 443 -j ACCEPT
ebtables -A FORWARD -i eth1 -o eth0 -p ip --ip-source 192.168.0.21 --ip-proto tcp --ip-destination-port 443 -j ACCEPT


Why doesn't this work?
(I'm testing by trying to SSH to the box, and trying to go to the IP of a webserver across the bridge from the box)

It's like once it sees the policy of deny it ignores everything else.

STOP TRIPLE POSTING


You've been told this too many times.

Hmm that didn't answer my question, but this did!:

http://www.linuxsecure.de/index.php?act ... s_bridgefw

Here's the working ruleset:

Code: Select all

# example rule: block all ICMP
ebtables -F FORWARD
ebtables -P FORWARD DROP
ebtables -A FORWARD -p ip --ip-proto icmp -j DROP ## block all ICMP

## Arp for all
ebtables -A FORWARD -p 0x806 -j ACCEPT ##Allow ARP
##Squid Server
ebtables -A FORWARD -p ip --ip-src 192.168.0.21 -s ! 00:08:0D:54:13:C9 -j DROP #Drop any naively IP spoofed packet "from" the squid server.
ebtables -A FORWARD -i eth0 -o eth1 -p 0x800 --ip-dst 192.168.0.21 --ip-proto tcp --ip-sport 80 -j ACCEPT #Allow squid server to interact with HTTP
ebtables -A FORWARD -i eth1 -o eth0 -p 0x800 --ip-src 192.168.0.21 --ip-proto tcp --ip-dport 80 -j ACCEPT #Allow squid server to interact with HTTP
ebtables -A FORWARD -i eth0 -o eth1 -p 0x800 --ip-dst 192.168.0.21 --ip-proto tcp --ip-sport 443 -j ACCEPT #Allow squid server to interact with HTTPS
ebtables -A FORWARD -i eth1 -o eth0 -p 0x800 --ip-src 192.168.0.21 --ip-proto tcp --ip-dport 443 -j ACCEPT #Allow squid server to interact with HTTPS
ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.21 --ip-dst 167.206.3.137 --ip-proto udp --ip-dport 53 -j ACCEPT #Allow DNS access through bridge from squid $
ebtables -A FORWARD -p 0x800 --ip-src 167.206.3.137 --ip-dst 192.168.0.21 --ip-proto udp --ip-sport 53 -j ACCEPT #Allow DNS access through bridge from squid $
##SSH Server
ebtables -A FORWARD -p ip --ip-src 192.168.0.21 -s ! 00:08:0D:54:13:C9 -j DROP #Drop any naively IP spoofed packet "from" the SSH server.
ebtables -A FORWARD -p 0x800 --ip-dst 192.168.0.21 --ip-proto tcp --ip-dport 22 -j ACCEPT #Allow SSH from internet to ssh server
ebtables -A FORWARD -p 0x800 --ip-src 192.168.0.21 --ip-proto tcp --ip-sport 22 -j ACCEPT #Allow SSH from internet to ssh server
## Everyone (If you want everyone to beable to do something :P
ebtables -A FORWARD -p 0x800 --ip-dst 167.206.3.137 --ip-proto udp --ip-dport 53 -j ACCEPT #Allow DNS access through bridge from Everyone
ebtables -A FORWARD -p 0x800 --ip-src 167.206.3.137 --ip-proto udp --ip-sport 53 -j ACCEPT #Allow DNS access through bridge from Everyone