Linux桥防火墙.docx

Linux桥防火墙.docx

《Linux桥防火墙.docx》由会员分享，可在线阅读，更多相关《Linux桥防火墙.docx（11页珍藏版）》请在冰豆网上搜索。

Linux桥防火墙

ebtables/iptablesinteractiononaLinux-basedbridge（网桥式防火墙）

跨越了TCP/IP模型，可在链路层实现IPNAT与MACNAT功能。

。

。

。

。

ebtables/iptablesinteractiononaLinux-basedbridge

TableofContents

1.Introduction

2.Howframestraversetheebtableschains

3.Amachineusedasabridgeandarouter（notabrouter）

4.DNAT'ingbridgedpackets

5.ChaintraversalforbridgedIPpackets

6.Usingabridgeportiniptablesrules

7.Twopossiblewaysforframes/packetstopassthroughtheiptablesPREROUTING,FORWARDandPOSTROUTINGchains

8.IPDNATintheiptablesPREROUTINGchainonframes/packetsenteringonabridgeport

9.UsingtheMACmoduleextensionforiptables

10.Usingtheiptablesphysdevmatchmoduleforkernel2.6

11.DetailedIPpacketflow

1.Introduction

ThisdocumentdescribeshowiptablesandebtablesfilteringtablesinteractonaLinux-basedbridge.

Gettingabridgingfirewallona2.4.xkernelconsistsofpatchingthekernelsourcecode.The2.6kernelcontainstheebtablesandbr-nfcode,soitdoesn'thavetobepatched.Becausethedemandwashigh,patchesforthe2.4kernelarestillavailableattheebtableshomepage.Thebr-nfcodemakesbridgedIPframes/packetsgothroughtheiptableschains.EbtablesfiltersontheEthernetlayer,whileiptablesonlyfiltersIPpackets.

TheexplanationsbelowwillusetheTCP/IPNetworkModel.Itshouldbenotedthatthebr-nfcodesometimesviolatestheTCP/IPNetworkModel.Aswillbeseenlater,itispossible,f.e.,todoIPDNATinsidetheLinkLayer.

WewanttonotethatweareperfectlywellawarethatthewordframeisusedfortheLinkLayer,whilethewordpacketisusedfortheNetworkLayer.However,whenwearetalkingaboutIPpacketsinsidetheLinkLayer,wewillrefertotheseasframes/packetsorpackets/frames.

2.Howframestraversetheebtableschains

Thissectiononlyconsidersebtables,notiptables.

FirstthingtokeepinmindisthatwearetalkingabouttheEthernetlayerhere,sotheOSIlayer2（Datalinklayer）,orlayer1（Linklayer,NetworkAccesslayer）bytheTCP/IPNetworkModel.

Apacketdestinedforthelocalcomputeraccordingtothebridge（whichworksontheEthernetlayer）isn'tnecessarilydestinedforthelocalcomputeraccordingtotheIPlayer.That'showroutingworks（MACdestinationistherouter,IPdestinationistheactualboxyouwanttocommunicatewith）.

Figure2a.Generalframetraversalscheme

TherearesixhooksdefinedintheLinuxbridgingcode,ofwhichtheBROUTINGhookwasaddedforebtables.

Figure2b.Ethernetbridginghooks

Thehooksarespecificplacesinthenetworkcodeonwhichsoftwarecanattachitselftoprocessthepackets/framespassingthatplace.Forexample,thekernelmoduleresponsiblefortheebtablesFORWARDchainisattachedontothebridgeFORWARDhook.Thisisdonewhenthemoduleisloadedintothekerneloratbootup.

NotethattheebtablesBROUTINGandPREROUTINGchainsaretraversedbeforethebridgingdecision,thereforethesechainswillevenseeframesthatwillbeignoredbythebridge.Youshouldtakethatintoaccountwhenusingthischain.Alsonotethatthechainswon'tseeframesenteringonanon-forwardingbridgeport.

Thebridge'sdecisionforaframe（asseenonFigure2b）canbeoneofthese:

12.bridgeit,ifthedestinationMACaddressisonanothersideofthebridge;

13.flooditoveralltheforwardingbridgeports,ifthepositionoftheboxwiththedestinationMACisunknowntothebridge;

14.passittothehigherprotocolcode（theIPcode）,ifthedestinationMACaddressisthatofthebridgeorofoneofitsports;

15.ignoreit,ifthedestinationMACaddressislocatedonthesamesideofthebridge.

Figure2c.Bridgingtables（ebtables）traversalprocess

Ebtableshasthreetables:

filter,natandbroute,asshowninFigure2c.

16.ThebroutetablehastheBROUTINGchain.

17.ThefiltertablehastheFORWARD,INPUTandOUTPUTchains.

18.ThenattablehasthePREROUTING,OUTPUTandPOSTROUTINGchains.

ThefilterOUTPUTandnatOUTPUTchainsareseparatedandhaveadifferentusage.

Figures2band2cgiveaclearviewwheretheebtableschainsareattachedontothebridgehooks.

WhenanNICenslavedtoabridgereceivesaframe,theframewillfirstgothroughtheBROUTINGchain.Inthisspecialchainyoucanchoosewhethertorouteorbridgeframes,enablingyoutomakeabrouter.ThedefinitionsfoundontheInternetforwhatabrouteractuallyisdifferabit.ThenextdefinitiondescribesthebroutingabilityusingtheBROUTINGchainquitewell:

Abrouterisadevicethatbridgessomeframes/packets（i.e.forwardsbasedonLinklayerinformation）androutesotherframes/packets（i.e.forwardsbasedonNetworklayerinformation）.Thebridge/routedecisionisbasedonconfigurationinformation.

Abroutercanbeused,forexample,toactasanormalrouterforIPtrafficbetween2networks,whilebridgingspecifictraffic（NetBEUI,ARP,whatever）betweenthosenetworks.TheIProutingtabledoesnotusethebridgelogicaldevice,insteadtheboxhasIPaddressesassignedtothephysicalnetworkdevicesthatalsohappentobebridgeports（bridgeenslavedNICs）.

ThedefaultdecisionintheBROUTINGchainisbridging.

NexttheframepassesthroughthePREROUTINGchain.InthischainyoucanalterthedestinationMACaddressofframes（DNAT）.Iftheframepassesthischain,thebridgingcodewilldecidewheretheframeshouldbesent.ThebridgedoesthisbylookingatthedestinationMACaddress,itdoesn'tcareabouttheNetworkLayeraddresses（e.g.IPaddress）.

Ifthebridgedecidestheframeisdestinedforthelocalcomputer,theframewillgothroughtheINPUTchain.Inthischainyoucanfilterframesdestinedforthebridgebox.AftertraversaloftheINPUTchain,theframewillbepasseduptotheNetworkLayercode（e.g.totheIPcode）.So,aroutedIPpacketwillgothroughtheebtablesINPUTchain,notthroughtheebtablesFORWARDchain.Thisislogical.

Figure2d.Incomingframe'schaintraversal

Otherwisetheframeshouldpossiblybesentontoanothersideofthebridge.Ifitshould,theframewillgothroughtheFORWARDchainandthePOSTROUTINGchain.ThebridgedframescanbefilteredintheFORWARDchain.InthePOSTROUTINGchainyoucanaltertheMACsourceaddress（SNAT）.

Figure2e.Forwardedframe'schaintraversal

Locallyoriginatedframeswill,afterthebridgingdecision,traversethenatOUTPUT,thefilterOUTPUTandthenatPOSTROUTINGchains.ThenatOUTPUTchainallowstoalterthedestinationMACaddressandthefilterOUTPUTchainallowstofilterframesoriginatingfromthebridgebox.NotethatthenatOUTPUTchainistraversedafterthebridgingdecision,sothisisactuallytoolate.Weshouldchangethis.ThenatPOSTROUTINGchainisthesameoneasdescribedabove.

Figure2f.Outgoingframes'chaintraversal

It'salsopossibleforroutedframestogothroughthesethreechainswhenthedestinationdeviceisalogicalbridgedevice.

3.Amachineusedasabridgeandarouter（notabrouter）

HereistheIPcodehooksscheme:

Figure3a.IPcodehooks

Hereistheiptablespackettraversalscheme.

Figure3b.Routingtables（iptables）traversalprocess

NotethattheiptablesnatOUTPUTchainissituatedaftertheroutingdecision.Ascommentedintheprevioussection（whendiscussingebtablesnat）,thisistoolateforDNAT.ThisissolvedbyreroutingtheIPpacketifithasbeenDNAT'ed,beforecontinuing.Forclarity:

thisisstandardbehaviouroftheLinuxkernel,notsomethingcausedbyourcode.

Figures3aand3bgiveaclearviewwheretheiptableschainsareattachedontotheIPhooks.Whenthebridgecodeandnetfilterisenabledinthekernel,theiptableschainsarealsoattachedontothehooksofthebridgingcode.However,thisdoesnotmeanthattheyarenolongerattachedontotheirstandardIPcodehooks.ForIPpacketsthatgetintocontactwiththebridgingcode,thebr-nfcodewilldecideinwhichplaceinthenetworkcodetheiptableschainswillbetraversed.Obviously,itisguaranteedthatnochainistraversedtwicebythesamepacket.AllpacketsthatdonotcomeintocontactwiththebridgecodetraversetheiptableschainsinthestandardwayasseeninFigure3b.

Thefollowingsectionstry,amongotherthings,toexplainwhatthebr-nfcodedoesandwhyitdoesit.

It'spossibletoseeasingleIPpacket/frametraversethenatPREROUTING,filterINPUT,natOUTPUT,filterOUTPUTandnatPOSTROUTINGebtableschains.

Thiscanhappenwhenthebridgeisalsousedasarouter.TheEthernetframe（s）containingthatIPpacketwillhavethebridge'sdestinationMACaddress,whilethedestinationIPaddressisnotofthebridge.Includingtheiptableschains,thisishowtheIPpacketrunsthroughthebridge/router（actuallythereismoregoingon,seesection6）:

Figure3c.Bridge/routerroutespackettoabridgeinterface（simplisticview）

Thisassumesthattheroutingdecisionsendsthepackettoabridgeinterface.Iftheroutingdecisionsendsthepackettonon-bridgeinterface,thisiswhathappens:

Figure3d.Bridge/routerroutespackettoanon-bridgeinterface（simplisticview）

Figures3cand3dassumetheIPpacketarrivedonabridgeport.Whatisobviously"asymmetric"hereisthattheiptablesPREROUTINGchainistraversedbeforetheebtablesINPUTchain,howeverthiscannotbehelpedwithoutsacrificingfunctionality.Seethenextsection.

4.DNAT'ingbridgedpackets

TakeanIPpacketreceivedbythebridge.Let'sassumewewanttodosomeIPDNATonit.Changingthedestinationaddressofthepacket（IPaddressandMACaddress）hastohappenbeforethebridgecodedecides