Regain control over your Layer 2 bridge with iptables and ebtables.
As we saw in the previous hack [Hack #58], creating an Ethernet-to-wireless bridge is very straightforward. While this allows for very easy integration with your existing network, it isn’t always the best decision from a security point of view. Rather than simply connect two networks together at Layer 2, wouldn’t it be nice to be able to tightly control the flow of packets between the two networks?
You might think that you could simply use iptables to control network access, as you normally would with any other network device. In the experimental Linux 2.5 kernels, this is the case. But when 802.1d bridging is in effect in Linux 2.4, the netfilter code never sees bridged packets. In order to make traffic visible to standard firewall tools, you’ll have to patch your kernel.
There are two Linux 2.4 patches available that allow you to manipulate your bridge as a firewall: ebtables and bridge-nf. The first patch implements ebtables, a new packet filter specifically designed for Ethernet bridges. The second provides netfilter functionality for your bridge, so you can manipulate it using iptables. Both patches are available at http://ebtables.sourceforge.net/. While you’re there, be sure to grab a copy of the ebtables utilities as well.
If you’re running Linux 2.5 or later, you’re in luck. Both ebtables and bridge-nf are now built into the kernel, so you don’t have to patch your kernel.
Extract a clean copy of Linux 2.4.20, and patch your kernel source by doing the following:
rob@florian:/usr/local/src$tar jvxf ~/linux-2.4.20.tar.bz2
rob@florian:/usr/local/src$patch -p0 < ~/ebtables-v2.0.003_vs_2.4.20.diff
patching file linux-2.4.20/net/bridge/br_private.h patching file linux-2.4.20/include/linux/if_bridge.h patching file linux-2.4.20/net/core/dev.c ... rob@florian:/usr/local/src$patch -p0 < ~/bridge-nf-0.0.10-against
[RETURN]-2.4.20.diff
patching file linux-2.4.20/include/linux/netfilter.h patching file linux-2.4.20/include/linux/netfilter_ipv4.h patching file linux-2.4.20/include/linux/netfilter_bridge.h ... rob@florian:/usr/local/src$
This assumes that you put your kernel sources in
/usr/local/src/
, and that the patches are in
your home directory, but feel free to keep your code wherever you
like. Now that your kernel source is patched, configure and build
your kernel as you normally would. Be sure to include 802.1d Ethernet
Bridging (CONFIG_BRIDGE) when you configure it.
With your new kernel installed, you can now manipulate the firewall exactly as you would expect using iptables . You can also use ebtables to do all sorts of interesting things at the MAC layer. For example, to ignore all traffic from a given IP that doesn’t match a known MAC address, you could try this:
#ebtables -A FORWARD -p IPv4 --ip-src 10.15.6.10 -s ! 00:30:65:FF:AA:BB
[RETURN]-j DROP
This prevents other users from "camping” on known IP addresses. While it won’t help much with MAC spoofing attacks, this will help keep average users from stepping on other people’s IP addresses. You can also use it in reverse to lock a MAC address into a particular IP:
#ebtables -A FORWARD -p IPv4 --ip-src ! 10.15.6.10 -s 00:30:65:FF:AA:BB
[RETURN]-j DROP
This will prohibit the machine with the specified MAC address from using any IP but 10.15.6.10.
These are just a couple of
examples of the power and flexibility of
ebtables. You can also do all sorts of neat
things like MAC redirection and
NAT, or filter on protocol types (need to
drop all IPv6 traffic? No problem!). For more information, check out
the ebtables web site as well as
man
ebtables
.
Get Wireless Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.