Building a Transparent Firewall with Linux, Part V
Dear readers, I appear to have set a Paranoid Penguin record—six months spent on one article series. (It has consisted of five installments, with a one-month break between the second and third pieces.) But, we've covered a lot of ground: transparent firewall concepts and design principles; how to install OpenWrt on a Linksys WRT54GL router; how to compile a custom OpenWrt system image; how to configure networking and iptables bridging on OpenWrt; and, of course, how to replace the native OpenWrt firewall script with a customized iptables script that works in bridging mode. This month, I conclude the series by showing how to achieve the same thing using an ordinary PC running Ubuntu 10.04.
At this late stage in the series, I assume you know what a transparent firewall is and where you might want to deploy it on your network. But since I haven't said a word about PC hardware since Part II (in the September 2010 issue of LJ), it's worth repeating a couple points I made then about selecting network hardware, especially on laptops.
If it were ten years ago, I'd be talking about internal PCI network adapters for desktop/tower systems and PCMCIA (PC-card) interfaces for laptops. Nowadays, your system almost certainly has an Ethernet card built in and needs only one more to act as a firewall (unless you want a third “DMZ” network, but that's beyond the scope of this series—I'm assuming you're firewalling off just one part of your network).
If you have a desktop or tower system with a free PCI slot, you've got a plethora of good choices for Linux-compatible Ethernet cards. But, if you have a laptop, or if your PCI slots are all populated, you'll want an external USB Ethernet interface.
Here's the part I mentioned earlier: be sure to select a USB Ethernet interface that supports USB 2.0, because USB 1.1 runs at only 12Mbps and USB 1.0 at 1.5Mbps. (USB 2.0 runs at 480Mbps—plenty fast unless your LAN runs Gigabit Ethernet.) Obviously, you also want an interface that is supported under Linux.
As a general rule, I don't like to shill specific products, but in the course of writing these articles, I had excellent experiences with the D-Link DUB-E100, a USB 2.0, Fast Ethernet (100Mbps) interface. It's supported under Linux by the usbnet and asix kernel modules. Chances are, your Linux system automatically will detect a DUB-E100 interface and load both modules. I love it when a cheap, simple device not only “just works” under Linux, but also performs well, don't you?
You'll remember from the previous two installments that in order to support iptables in bridging mode, your Linux kernel needs to be compiled with CONFIG_BRIDGE_NETFILTER=1, and your /etc/sysctl.conf file either needs to not contain any entries for the following settings or have them set to “1”:
net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0
Well, if you're an Ubuntu user, you don't have to worry. Unlike OpenWrt, the stock Ubuntu kernels already have CONFIG_BRIDGE_NETFILTER support compiled in, and its default /etc/sysctl.conf file is just fine without needing any editing by you. Odds are, this is true for Debian and other Debian derivatives as well, although I haven't had a chance to verify it myself.
One thing you probably will have to do, however, is install the command brctl by way of either Debian's/Ubuntu's bridge-utils package or whatever package through which your non-Debian-derived distribution of choice provides the brctl command. This is seldom a default package, so if entering the command which brctl doesn't yield a path to the brctl command, you need to install it.
As with OpenWrt, however, you will not need the ebtables (Ethernet Bridging tables) command, unless you want to filter network traffic based on Ethernet header information, such as MAC (hardware) address and other very low-level criteria. Nothing I describe in this series requires ebtables, just plain-old iptables.
If you've got two viable Ethernet interfaces, if your kernel supports iptables in bridging mode, and if your system has bridge-utils installed, you're ready to set up bridging! On Ubuntu Server and other Debian-derived, nongraphical systems, this involves changes to only one file, /etc/network/interfaces—unless, that is, your window manager controls networking. See the sidebar Networking Tips: GNOME vs. You for instructions on disabling GNOME's Network Manager system.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- Developer Poll
- Trying to Tame the Tablet
- Validate an E-Mail Address with PHP, the Right Way
- Deceptive Advertising and
8 min 32 sec ago
- Let\'s declare that you have
9 min 29 sec ago
- Alterations in Contest Due
10 min 35 sec ago
- At a numbers mindset, your
11 min 46 sec ago
- Do not get Just Almost any
15 min 15 sec ago
- A fantastic rule-of-thumb to
16 min 38 sec ago
- Keren mastah..
1 hour 14 min ago
- mini tablet compare
2 hours 33 min ago
- Looking Good
6 hours 6 min ago
- Hey God - You may not be
10 hours 19 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.