Home

Building a Transparent Firewall with Linux, Part V

Issue 201

From Issue #201
January 2011

Mar 01, 2011  By Mick Bauer
 in
Build a transparent firewall using an ordinary PC.

Networking Tips: GNOME vs. You

Normally, any computer you're configuring to act as a network device or server should not run the X Window System for reasons of performance and security. But if, for some reason, such as testing, you want to set up bridging on Ubuntu 10.04 Desktop (or any other GNOME-based distribution), you need to be aware of a few things.

Traditionally, Ubuntu and other Debian derivatives store network interface configurations in the file /etc/network/interfaces. However, GNOME's Network Manager system automatically configures any interface not explicitly described in that file.

In theory, this should mean that if you specify interface and bridge configurations in /etc/network/interfaces, you shouldn't have to worry about Network Manager overriding or otherwise conflicting with those settings. But in practice, at least in my own experience on Ubuntu 10.04, you're better off disabling Network Manager altogether in the System→Preferences→Startup Applications applet, if you want to set up persistent bridge settings in /etc/network/interfaces.

To completely disable Network Manager, you also need to open the System→Preferences→Network Connections control panel and delete all connection profiles under the Wired tab. Even if Network Manager is disabled as a startup service, Ubuntu will read network configuration information set by this control panel, resulting in strange interactions with /etc/network/interfaces.

On my test system, even after disabling the Network Manager service, setting up /etc/network/interfaces as shown in Listing 1 and stopping and restarting /etc/init.d/networking, eth2 kept showing up in my routing table with the same IP address as br0, even though br0 should have been the only interface with any IP address (let alone a route). Clearing out eth2's entry in Network Connections and again restarting networking fixed the problem.

To kill the running Network Manager processes, first find its process ID using ps auxw |grep nm-applet. Then, do sudo kill -9 [PID] (substituting [PID] with the process ID, of course) to shut down Network Manager. This is a good point to configure networking manually by editing /etc/network/interfaces (sudo vi /etc/network/interfaces). Finally, restart networking by entering sudo /etc/init.d/networking restart.

So, let's examine a network configuration for bridged eth1 and eth2 interfaces. (To you fans of Fedora, Red Hat, SUSE and other non-Debian-ish distributions, I apologize for my recent Ubuntu-centrism. But hopefully, what follows here gives you the gist of what you need to do within your respective distribution's manual-network-configuration schemes.)

Listing 1 shows my Ubuntu 10.04 firewall's /etc/network/interfaces file. My test system is actually an Ubuntu 10.04 Desktop system, but I've disabled Network Manager as described in the sidebar.

Listing 1. /etc/network/interfaces

auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0

auto br0
iface br0 inet static
  address 10.0.0.253
  netmask 255.255.255.0
  pre-up ifconfig eth1 down
  pre-up ifconfig eth2 down
  pre-up brctl addbr br0
  pre-up brctl addif br0 eth1
  pre-up brctl addif br0 eth2
  pre-up ifconfig eth1 0.0.0.0
  pre-up ifconfig eth2 0.0.0.0
  post-down ifconfig eth1 down
  post-down ifconfig eth2 down
  post-down ifconfig br0 down
  post-down brctl delif br0 eth1
  post-down brctl delif br0 eth2
  post-down brctl delbr br0

The first part of Listing 1 shows settings for lo, a virtual network interface used by local processes to communicate with each other. I've explicitly assigned lo its customary IP address 127.0.0.1 and subnetwork mask 255.0.0.0.

The rest of Listing 1 gives the configuration for br0, my logical bridge interface. First, I set the bridge interface's IP address to 10.0.0.253 with a netmask of 255.255.255.0, just as I did with OpenWrt. Note that when you associate physical network interfaces with a logical bridge interface, the bridge interface gets an IP address, but the physical interfaces do not. They are, at that point, just ports on a bridge.

Note that on my test system, eth1 and eth2 are the names assigned to my two USB D-Link DUB-E100 interfaces. It's actually more likely you'd use your machine's built-in Ethernet interface (probably named eth0), and that any second interface you'd add would be named eth1. When in doubt, run the command tail -f /var/log/messages before attaching your second interface to see what name your system assigns to it. You also can type sudo ifconfig -a to get detailed information on all network interfaces present, even ones that are down.

Continuing the analysis of Listing 1, after I configure the bridge IP address and netmask, I actually bring down the two physical interfaces I'm going to bridge, before invoking the brctl command to create the bridge (br0) and add each interface (eth1 and eth2) to it. The last step in bringing the bridge up is to assign to both physical interfaces, eth1 and eth2, the reserved address 0.0.0.0, which has the effect of allowing each of those interfaces to receive any packet that reaches it—which is to say, having an interface listen on IP address 0.0.0.0 makes that interface promiscuous. This is a necessary behavior of switch ports. It does not mean all packets entering on one port will be forwarded to some other port automatically; it merely means that all packets entering that port will be read and processed by the kernel.

The “post-down” statements in Listing 1, obviously enough, all concern breaking down the bridge cleanly on shutdown.

Once you've restarted networking with a sudo /etc/init.d/networking restart, your system should begin bridging between its two physical interfaces. You should test this by connecting one interface on your Linux bridge/firewall to your Internet-connected LAN and connecting the other interface to some test system. The test system shouldn't have any problem connecting through to your LAN and reaching the Internet, as though there were no Linux bridge in between—at least, not yet it shouldn't. But, we'll take care of that!

______________________

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions