Building a Transparent Firewall with Linux, Part V

Build a transparent firewall using an ordinary PC.

So, let's examine a network configuration for bridged eth1 and eth2 interfaces. (To you fans of Fedora, Red Hat, SUSE and other non-Debian-ish distributions, I apologize for my recent Ubuntu-centrism. But hopefully, what follows here gives you the gist of what you need to do within your respective distribution's manual-network-configuration schemes.)

Listing 1 shows my Ubuntu 10.04 firewall's /etc/network/interfaces file. My test system is actually an Ubuntu 10.04 Desktop system, but I've disabled Network Manager as described in the sidebar.

The first part of Listing 1 shows settings for lo, a virtual network interface used by local processes to communicate with each other. I've explicitly assigned lo its customary IP address and subnetwork mask

The rest of Listing 1 gives the configuration for br0, my logical bridge interface. First, I set the bridge interface's IP address to with a netmask of, just as I did with OpenWrt. Note that when you associate physical network interfaces with a logical bridge interface, the bridge interface gets an IP address, but the physical interfaces do not. They are, at that point, just ports on a bridge.

Note that on my test system, eth1 and eth2 are the names assigned to my two USB D-Link DUB-E100 interfaces. It's actually more likely you'd use your machine's built-in Ethernet interface (probably named eth0), and that any second interface you'd add would be named eth1. When in doubt, run the command tail -f /var/log/messages before attaching your second interface to see what name your system assigns to it. You also can type sudo ifconfig -a to get detailed information on all network interfaces present, even ones that are down.

Continuing the analysis of Listing 1, after I configure the bridge IP address and netmask, I actually bring down the two physical interfaces I'm going to bridge, before invoking the brctl command to create the bridge (br0) and add each interface (eth1 and eth2) to it. The last step in bringing the bridge up is to assign to both physical interfaces, eth1 and eth2, the reserved address, which has the effect of allowing each of those interfaces to receive any packet that reaches it—which is to say, having an interface listen on IP address makes that interface promiscuous. This is a necessary behavior of switch ports. It does not mean all packets entering on one port will be forwarded to some other port automatically; it merely means that all packets entering that port will be read and processed by the kernel.

The “post-down” statements in Listing 1, obviously enough, all concern breaking down the bridge cleanly on shutdown.

Once you've restarted networking with a sudo /etc/init.d/networking restart, your system should begin bridging between its two physical interfaces. You should test this by connecting one interface on your Linux bridge/firewall to your Internet-connected LAN and connecting the other interface to some test system. The test system shouldn't have any problem connecting through to your LAN and reaching the Internet, as though there were no Linux bridge in between—at least, not yet it shouldn't. But, we'll take care of that!


One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix