Building a Transparent Firewall with Linux, Part III

Hack your cheap wireless gateway into a stealth firewall.

In this series of articles, I'm showing how to build a transparent firewall using OpenWrt (Linux) running on an inexpensive Linksys WRT54GL wireless router. In Part I, I explained why firewalls are still important and the difference between a traditional IP firewall and a transparent firewall.

In Part II, I sketched out a simple design for deploying a transparent firewall in a home network setting (probably the best application of any OpenWrt-based firewall). I also showed the step-by-step process by which I replaced the native Linksys firmware on my WRT54GL with OpenWrt Kamikaze (v. 8.09.2, running a Linux 2.4 kernel) and then upgraded it to OpenWrt Backfire (v. 10.03, running a Linux 2.6 kernel).

This month, I recompile and configure OpenWrt Backfire, hopefully the last major OpenWrt-specific task covered in this series. Next time, I'll begin writing a custom iptables firewall script, which will apply to any Linux system you want to use as a transparent firewall.

Before diving back in, a quick note on OpenWrt performance: OpenWrt is a hobbyist's distribution, and it runs on cheap hardware with less RAM and slower processors than any modern Linux desktop system. I'm writing about it because it's fun to play with, and because I've long wanted to do some hardware hacking in this column. OpenWrt is not, however, a good choice if you need a firewall that is either very fast or very stable.

Recompiling the OpenWrt Kernel

Before configuring OpenWrt, you need to recompile it. That is, you need to recompile the Linux 2.6 kernel in Backfire so that iptables can run in bridging mode, rebundle the kernel into a new firmware image and re-flash that to your gateway. This is less work than it probably sounds like.

The OpenWrt build process has some prerequisites. First, you need all of these Ubuntu packages (or your distribution's equivalents): gawk, gcc, binutils, patch, bzip2, flex, bison, make, gettext, pkg-config, unzip, libz-dev, libcheaders and subversion.

If you've compiled a Linux kernel before, your system may have most of these already; on mine, I needed to install only gawk, flex, bison, subversion and gettext.

Next, you need 3.5GB of free disk space on a non-Windows-formatted volume (msdos, fat32 and ntfs don't support Linux user/group-ownerships and permissions). I don't know why so much space is necessary to compile a firmware image for devices with only 4MB of RAM, but if you run out of disk space during the compile, you'll get strange, cryptic error messages.

The compile process is time consuming but simple. As a nonroot user, change your working directory into your 3.5GB-free volume, and execute this sequence of commands:

backfireimage-$ svn co svn://svn.openwrt.org/openwrt/branches/backfire

This fetches the source code tree for the current version of OpenWrt into your working directory. Now, enter that source code tree:

backfireimage-$ cd ./backfire

By adding this line to your kernel configuration, you make iptables able to operate in bridging mode—that is, to control packets traversing a local bridge device:

backfireimage/backfire-$ echo "CONFIG_BRIDGE_NETFILTER=y" >> 
 ↪./target/linux/brcm47xx

Now, rebuild the entire OpenWrt firmware image—the Linux 2.6 kernel, all system commands and the compressed RAM filesystem on which they reside:

backfireimage/backfire-$ make

This one make command takes quite a long time, depending on how fast your CPU and hard disk are. If it ends prematurely due to errors, the likeliest causes are either that you're missing a required package or you don't have enough free disk space.

If your build fails for some other reason, or if you simply can't tell, try again with this command:

backfireimage/backfire-$ make V=99

Setting make's verbosity to 99 in this way causes it to output a very large quantity of log messages. If you end up seeking help on the OpenWrt Forums (https://forum.openwrt.org), including some of these log messages will improve your odds at receiving a useful answer.

Once the build completes successfully, you can change your working directory to that in which the new binary firmware images reside. Since I'm working with a Linksys WRT54GL, which uses a Broadcom chipset, and since I'm installing a Linux 2.6 kernel, the binaries I want are in bin/brcm47xx:

backfireimage/backfire-$ cd bin/brcm47xx

Now it's time to reboot the WRT54GL and re-flash its firmware. Immediately after turning your router's power off and then back on, or issuing the command reboot from a telnet session, enter this command to push the new image from your build system:

backfireimage/backfire-$ tftp -m binary 192.168.1.1 -c 
 ↪put openwrt-wrt54g-squashfs.bin

As you may recall from last time, OpenWrt's default IP address is 192.168.1.1. On the laptop from which I'm connecting to my broadband router, I've configured the Ethernet interface with an IP address on the same network (192.168.1.30, netmask 255.255.255.0).

It may take a few reboot/TFTP attempts for your broadband router to “see” the TFTP push, but once it does, and after it decompresses and loads the new firmware, your router will be capable of acting as a transparent firewall! But, first you've got to do some system-level configuration.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Compile time configuration

Paddy's picture

In the article, you indicate that the relevant binaries are to be found under 'bin/brcm47xx'. Though when I compile using the default configuration (target system: Broadcom BCM947xx/953xx [2.4], target profile: Linksys WRT610N v1) I get the 'bin/brcm-2.4' directory instead.

My guess is you used 'Broadcom BCM947xx/953xx' as target system. Still, I am not sure about the target profile that should be used.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState