Building a Transparent Firewall with Linux, Part V

Dear readers, I appear to have set a Paranoid Penguin record—six months spent on one article series. (It has consisted of five installments, with a one-month break between the second and third pieces.) But, we've covered a lot of ground: transparent firewall concepts and design principles; how to install OpenWrt on a Linksys WRT54GL router; how to compile a custom OpenWrt system image; how to configure networking and iptables bridging on OpenWrt; and, of course, how to replace the native OpenWrt firewall script with a customized iptables script that works in bridging mode. This month, I conclude the series by showing how to achieve the same thing using an ordinary PC running Ubuntu 10.04.

At this late stage in the series, I assume you know what a transparent firewall is and where you might want to deploy it on your network. But since I haven't said a word about PC hardware since Part II (in the September 2010 issue of LJ), it's worth repeating a couple points I made then about selecting network hardware, especially on laptops.

If it were ten years ago, I'd be talking about internal PCI network adapters for desktop/tower systems and PCMCIA (PC-card) interfaces for laptops. Nowadays, your system almost certainly has an Ethernet card built in and needs only one more to act as a firewall (unless you want a third “DMZ” network, but that's beyond the scope of this series—I'm assuming you're firewalling off just one part of your network).

If you have a desktop or tower system with a free PCI slot, you've got a plethora of good choices for Linux-compatible Ethernet cards. But, if you have a laptop, or if your PCI slots are all populated, you'll want an external USB Ethernet interface.

Here's the part I mentioned earlier: be sure to select a USB Ethernet interface that supports USB 2.0, because USB 1.1 runs at only 12Mbps and USB 1.0 at 1.5Mbps. (USB 2.0 runs at 480Mbps—plenty fast unless your LAN runs Gigabit Ethernet.) Obviously, you also want an interface that is supported under Linux.

As a general rule, I don't like to shill specific products, but in the course of writing these articles, I had excellent experiences with the D-Link DUB-E100, a USB 2.0, Fast Ethernet (100Mbps) interface. It's supported under Linux by the usbnet and asix kernel modules. Chances are, your Linux system automatically will detect a DUB-E100 interface and load both modules. I love it when a cheap, simple device not only “just works” under Linux, but also performs well, don't you?

You'll remember from the previous two installments that in order to support iptables in bridging mode, your Linux kernel needs to be compiled with CONFIG_BRIDGE_NETFILTER=1, and your /etc/sysctl.conf file either needs to not contain any entries for the following settings or have them set to “1”:

net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

Well, if you're an Ubuntu user, you don't have to worry. Unlike OpenWrt, the stock Ubuntu kernels already have CONFIG_BRIDGE_NETFILTER support compiled in, and its default /etc/sysctl.conf file is just fine without needing any editing by you. Odds are, this is true for Debian and other Debian derivatives as well, although I haven't had a chance to verify it myself.

One thing you probably will have to do, however, is install the command brctl by way of either Debian's/Ubuntu's bridge-utils package or whatever package through which your non-Debian-derived distribution of choice provides the brctl command. This is seldom a default package, so if entering the command which brctl doesn't yield a path to the brctl command, you need to install it.

As with OpenWrt, however, you will not need the ebtables (Ethernet Bridging tables) command, unless you want to filter network traffic based on Ethernet header information, such as MAC (hardware) address and other very low-level criteria. Nothing I describe in this series requires ebtables, just plain-old iptables.

If you've got two viable Ethernet interfaces, if your kernel supports iptables in bridging mode, and if your system has bridge-utils installed, you're ready to set up bridging! On Ubuntu Server and other Debian-derived, nongraphical systems, this involves changes to only one file, /etc/network/interfaces—unless, that is, your window manager controls networking. See the sidebar Networking Tips: GNOME vs. You for instructions on disabling GNOME's Network Manager system.