Ethernet Bridge + netfilter Howto: Test your new bridged environment!

4. Test your new bridged environment!

4.1 Testing Grounds

We imagine this scenario or similar:


                                                          /\
          Ethernet           Ethernet           ATM    /-/  \
---------          ---------          ---------     /-/      |
|  Box  |----------|Bridge |----------|Router |-----| Inter-  \
---------          ---------          ---------     \  net  ---|
         ^        ^         ^        ^               \     /
         |        |         |        |                \---/
        eth0     eth0      eth1     if0                 ^
         |        |         |        |                  |
      10.0.3.2   none/10.0.3.1      195.137.15.7    anything else
                  \         /
                   \       /
   ^                \-br0-/
   |                                      ^             ^
   |                   ^                  |             |
   |                   |                  |             |
  own                 own              foreign        hostile

Our administrative power includes only machines marked with own, the Router is completely off-limits and so is the Internet, of course.
That means, if we want to control the flying bits'n'bytes on the ethernet wire we can chose to integrate a common firewall or file in a bridge.
Drawback of the standard way is you have to change the default gateway route on every and any single host in your net. And this is really a heavy weighting drawback, nobody wants to change more than 5 default routes on 5 different hosts more than one time. Keep the time in mind, this will consume, also! Not to forget, this is a error-prone way to handle the more about security..
The other way is clean, less time-consuming, more secure and less error-prone. More secure in that we won't have the need to assign any IP address. No IP, no danger. So far the theory, we hope, our stacks are safe. (Although this hope should better not relied on..) The overall advantage is, this bridge-setup is completely transparent, no IP, MAC, .. changes at all.
So it's up to you to chose your preferred method. But we will handle just the fancy one here ;-)

4.2 Ping it, Jim!

We will configure the Box' eth0 as usual. The bridge's interfaces are configured as described in Setup.
If we are to use forwarding we might perhaps do this one: ;-)


root@bridge:~> echo "1" > /proc/sys/net/ipv4/ip_forward

Optionally, we set up a default route:


root@bridge:~> route add default gw 10.0.3.129

Then we set up some iptables rules on host bridge:


root@bridge:~> iptables -P FORWARD DROP
root@bridge:~> iptables -F FORWARD
root@bridge:~> iptables -I FORWARD -j ACCEPT
root@bridge:~> iptables -I FORWARD -j LOG
root@bridge:~> iptables -I FORWARD -j DROP
root@bridge:~> iptables -A FORWARD -j DROP
root@bridge:~> iptables -x -v --line-numbers -L FORWARD

The last line gives us the following output:


Chain FORWARD (policy DROP 0 packets, 0 bytes)
num      pkts      bytes target   prot opt in     out     source   destination
1           0        0 DROP       all  --  any    any     anywhere anywhere
2           0        0 LOG        all  --  any    any     anywhere anywhere      LOG level warning
3           0        0 ACCEPT     all  --  any    any     anywhere anywhere
4           0        0 DROP       all  --  any    any     anywhere anywhere

The LOG target logs every packet via syslogd. Beware, this is intended for testing purposes only, remove in production environment. Else you end up either with filled logs and harddisk partitions by you yourself or anyone else does this Denial of Service to you. You've been warned.
Test this ruleset now. Ping the router interface's IP (195.137.15.7) on host box:


root@box:~> ping -c 3 195.137.15.7
PING router.provider.net (195.137.15.7) from 10.0.3.2 : 56(84) bytes of data.
--- router.provider.net ping statistics ---
3 packets transmitted, 0 received, 100% loss, time 2020ms
^C
root@box:~>

By default, we DROP everything. No response, no logged packet. This netfilter setup is designed to DROP all packets unless we delete the rule that drops every packet (rule no. 1 above) before the LOG target matches:


root@bridge:~> iptables -D FORWARD 1
root@bridge:~> iptables -x -v --line-numbers -L FORWARD

Now, the rules are:


Chain FORWARD (policy DROP 0 packets, 0 bytes)
num      pkts      bytes target   prot opt in     out     source   destination
2           0        0 LOG        all  --  any    any     anywhere anywhere      LOG level warning
3           0        0 ACCEPT     all  --  any    any     anywhere anywhere
4           0        0 DROP       all  --  any    any     anywhere anywhere

And any packet may pass through. Test it with a ping on host box:


root@box:~> ping -c 3 195.137.15.7
PING router.provider.net (195.137.15.7) from 10.0.3.2 : 56(84) bytes of data.
64 bytes from router.provider.net (195.137.15.7): icmp_seq=1 ttl=255 time=0.103 ms
64 bytes from router.provider.net (195.137.15.7): icmp_seq=2 ttl=255 time=0.082 ms
64 bytes from router.provider.net (195.137.15.7): icmp_seq=3 ttl=255 time=0.083 ms

--- router.provider.net ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2002ms
rtt min/avg/max/mdev = 0.082/0.089/0.103/0.012 ms
root@box:~>

Yippeah! The router is alive, up and running. (Well it has been all day long.. ;-)

Important Note:: When we just fired up the bridge interface it takes about roughly 30 seconds until the bridge is fully operational. This is due the 30-seconds-learning phase of the bridge interface. During this phase, the bridge ports are learning what MAC addresses exist on what port. The bridge author, Lennert, tells us in his TODO file, the 30-seconds-learning phase is subjected to some improvement in a timely manner some time.
During the test phase, no packet will we forwarded. No ping be answered. Remind this!

4.3 Actual configuration

This section is intended to give you, dear reader, some hints about how your system should look and feel after having processed this howto successfully.

Interface configuration

The output of your ifconfig command might look similar to this:


root@bridge:~> ifconfig
br0       Link encap:Ethernet  HWaddr 00:04:75:81:D2:1D
          inet addr:10.0.3.129  Bcast:195.30.198.255  Mask:255.255.255.128
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:826 errors:0 dropped:0 overruns:0 frame:0
          TX packets:737 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:161180 (157.4 Kb)  TX bytes:66708 (65.1 Kb)

eth0      Link encap:Ethernet  HWaddr 00:04:75:81:ED:B7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5729 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3115 errors:0 dropped:0 overruns:0 carrier:656
          collisions:0 txqueuelen:100
          RX bytes:1922290 (1.8 Mb)  TX bytes:298837 (291.8 Kb)
          Interrupt:11 Base address:0xe400

eth1      Link encap:Ethernet  HWaddr 00:04:75:81:D2:1D
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:1 frame:0
          TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:342 (342.0 b)  TX bytes:48379 (47.2 Kb)
          Interrupt:7 Base address:0xe800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1034 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1034 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:82068 (80.1 Kb)  TX bytes:82068 (80.1 Kb)

Routing configuration

The output of your route command might look similar to this:


root@bridge:~> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.3.129      0.0.0.0         255.255.255.128 U     0      0        0 br0
0.0.0.0         10.0.3.129      0.0.0.0         UG    0      0        0 br0
root@bridge:~>

Iptables configuration

Please have a look at the Ping it, Jim! section.

4.4 Note

Apparently, there must have been a bug in the br-nf code:

From: Bart De Schuymer <bart.de.schuymer_@_pandora.be>
Date: Sun, 1 Sep 2002 21:52:46 +0200
To: Nils Radtke <Nils.Radtke_@_Think-Future.de>
Subject: Re: Ethernet-Brigde-netfilter-HOWTO

Hello Nils,

[...]
Also, network packet filtering debugging is generally a bad idea with the
br-nf patch. It can gives a lot of false warnings (about bugs) in the logs.
[...]

Personally, I never had false positives in my log. Maybe, that bug has been fixed. This mailed to Bart, he wrote:

From: Bart De Schuymer <bart.de.schuymer_@_pandora.be>
Date: Mon, 2 Sep 2002 18:30:25 +0200
To: Nils Radtke <Nils.Radtke_@_Think-Future.de>
Subject: Re: Ethernet-Brigde-netfilter-HOWTO

On Monday 02 September 2002 00:39, Nils Radtke wrote:
> Will the revision of the nf-debug code in br-nf be subject of improvement?

I must admit I haven't been running any kernel with netfilter debugging
lately. It sure used to give false positives a few months ago (the bridge
mailing list has posts about that), I've been lacking time to see why and if
it is still the case. It's on my todo list.
[...]

But (as of writing this 2002-09-19) I haven't found an official announcement, this particular bug has been closed. So have a constant look at this topic on the ethernet bridge mailinglist , if you are interested in it's cure.

Next Previous Contents

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру