Building a Transparent Firewall with Linux, Part IV
I've been writing a multipart series on building a transparent (bridging) firewall using Linux. Specifically, I'm using the distribution OpenWrt running on a Linksys WRT54GL broadband router, a hardware choice driven mainly by my curiosity about the WRT54GL's built-in five-port Ethernet switch and its ability to run OpenWrt Linux.
So far I've covered installing OpenWrt, recompiling a new OpenWrt image with iptables' bridging functionality enabled and configuring networking using OpenWrt's uci (Unified Configuration Interface) command.
This month, I review the example network topology and finally begin configuring iptables, the heart of the whole undertaking. Before I do so, however, there are a few OpenWrt housecleaning tasks to get out of the way: tweaking the kernel and network configurations, and disabling OpenWrt's native firewall system.
OpenWrt Performance as a Transparent Firewall
In researching this article, I had a nasty surprise. Although in the past I had seen articles and how-tos on making transparent firewalls with OpenWrt, this mode of operation is not supported by default in the Kamikaze and Backfire releases. Reportedly, running iptables in bridging mode under OpenWrt reduces overall system performance by a whopping 40%!
I proceeded writing this series anyhow, because I wanted to see for myself just how big an effect this is, and it seemed to me that the series still would be useful just for the sake of explaining how to install and use OpenWrt, and for explaining how to write iptables rules for transparent firewalls. However, at several points, I've written of my doubts as to the example OpenWrt/WRT54GL's suitability for high-bandwidth/high-availability settings.
Also, hopefully without sounding too grandiose, I hoped that by spurring greater interest in OpenWrt's flawed capability, I might encourage someone to get to the bottom of why OpenWrt performance plunges when run with iptables in bridging mode. Surely there's a reason that this not terribly new kernel feature is problematic in OpenWrt!
I say all this because I want to be clear that although transparent Linux firewalls in general constitute an interesting and useful technology, the specific combination of a $65 broadband router plus OpenWrt running in this mode is probably suitable only in a home or lab setting, not for any situation where you need to move large volumes of packets very quickly and very reliably (which is hopefully unnecessary for me to say, given that the WRT54GL is marketed to home users in the first place). I say it also so you understand why you have to go through the hoops of recompiling the OpenWrt image and editing /etc/sysctl.conf to get iptables bridging working in OpenWrt.
Recompiling the OpenWrt image with CONFIG_BRIDGE_NETFILTER=y set in the Linux kernel is the first of two steps in enabling iptables' bridging mode in OpenWrt. The second step is either to delete the following parameters in /etc/sysctl.conf or set each of them to “1” rather than “0”:
net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0
In addition, I need to correct an error I made in the OpenWrt network configuration I showed you last time. You may recall that I changed OpenWrt's default configuration, such that all Ethernet ports were assigned to a single VLAN and bridge.
But possibly due to the way the Linux kernel interacts with the bridge hardware on my Linksys WRT54GL, with that configuration, I find that iptables ignores inter-VLAN traffic—that is, traffic between ports on the same VLAN. In order to get iptables to work properly on this hardware and on OpenWrt, I actually need two VLANs: one corresponding to my “uplink” (the Ethernet port connected to the outside world) and my “LAN” (everything else). These two VLANs, however, are still associated with the same bridge interface.
To create a separate VLAN for my uplink port, which is my WRT54GL's “WAN” port (or “port 4” to OpenWrt), I issue these commands on my router:
root@sugartongs:/etc/config# uci set network.eth0_1=switch_vlan root@sugartongs:/etc/config# uci set network.eth0_1.device="eth0" root@sugartongs:/etc/config# uci set network.eth0_1.vlan="1" root@sugartongs:/etc/config# uci set network.eth0_1.ports="4 5"
(Port 5, you'll recall, is a virtual port associated with the kernel, that must be included in all “ports” statements in OpenWrt network configurations, which is why our “...ports” statement is set to “4 5” rather than just “4”.)
To remove the WAN port from the other VLAN (eth0_0) I set up last time, I use this command:
root@sugartongs:/etc/config# uci set network.eth0_0.ports="0 1 2 3 5"
Next, in my bridge configuration, for the network I named “lan”, I associate both VLANs with the bridge:
root@sugartongs:/etc/config# uci set ↪network.lan.ifname="eth0.0 eth0.1"
And finally, I list my new network configuration to make sure everything's correct, commit the changes and reboot:
root@sugartongs:/etc/config# uci show network root@sugartongs:/etc/config# uci commit root@sugartongs:/etc/config# reboot
Listing 1 shows what the resulting /etc/config/network file looks like.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- Dynamic DNS—an Object Lesson in Problem Solving
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- Tech Tip: Really Simple HTTP Server with Python
- Roll your own dynamic dns
3 hours 50 min ago
- Please correct the URL for Salt Stack's web site
7 hours 1 min ago
- Android is Linux -- why no better inter-operation
9 hours 17 min ago
- Connecting Android device to desktop Linux via USB
9 hours 45 min ago
- Find new cell phone and tablet pc
10 hours 43 min ago
12 hours 12 min ago
- Automatically updating Guest Additions
13 hours 21 min ago
- I like your topic on android
14 hours 7 min ago
- This is the easiest tutorial
20 hours 43 min ago
- Ahh, the Koolaid.
1 day 2 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?