Linux桥防火墙.docx
《Linux桥防火墙.docx》由会员分享,可在线阅读,更多相关《Linux桥防火墙.docx(11页珍藏版)》请在冰豆网上搜索。
![Linux桥防火墙.docx](https://file1.bdocx.com/fileroot1/2022-12/7/088fffaa-56a1-4d92-a84c-cc5ad6d42c8f/088fffaa-56a1-4d92-a84c-cc5ad6d42c8f1.gif)
Linux桥防火墙
ebtables/iptablesinteractiononaLinux-basedbridge(网桥式防火墙)
跨越了TCP/IP模型,可在链路层实现IPNAT与MACNAT功能。
。
。
。
。
ebtables/iptablesinteractiononaLinux-basedbridge
TableofContents
1.Introduction
2.Howframestraversetheebtableschains
3.Amachineusedasabridgeandarouter(notabrouter)
4.DNAT'ingbridgedpackets
5.ChaintraversalforbridgedIPpackets
6.Usingabridgeportiniptablesrules
7.Twopossiblewaysforframes/packetstopassthroughtheiptablesPREROUTING,FORWARDandPOSTROUTINGchains
8.IPDNATintheiptablesPREROUTINGchainonframes/packetsenteringonabridgeport
9.UsingtheMACmoduleextensionforiptables
10.Usingtheiptablesphysdevmatchmoduleforkernel2.6
11.DetailedIPpacketflow
1.Introduction
ThisdocumentdescribeshowiptablesandebtablesfilteringtablesinteractonaLinux-basedbridge.
Gettingabridgingfirewallona2.4.xkernelconsistsofpatchingthekernelsourcecode.The2.6kernelcontainstheebtablesandbr-nfcode,soitdoesn'thavetobepatched.Becausethedemandwashigh,patchesforthe2.4kernelarestillavailableattheebtableshomepage.Thebr-nfcodemakesbridgedIPframes/packetsgothroughtheiptableschains.EbtablesfiltersontheEthernetlayer,whileiptablesonlyfiltersIPpackets.
TheexplanationsbelowwillusetheTCP/IPNetworkModel.Itshouldbenotedthatthebr-nfcodesometimesviolatestheTCP/IPNetworkModel.Aswillbeseenlater,itispossible,f.e.,todoIPDNATinsidetheLinkLayer.
WewanttonotethatweareperfectlywellawarethatthewordframeisusedfortheLinkLayer,whilethewordpacketisusedfortheNetworkLayer.However,whenwearetalkingaboutIPpacketsinsidetheLinkLayer,wewillrefertotheseasframes/packetsorpackets/frames.
2.Howframestraversetheebtableschains
Thissectiononlyconsidersebtables,notiptables.
FirstthingtokeepinmindisthatwearetalkingabouttheEthernetlayerhere,sotheOSIlayer2(Datalinklayer),orlayer1(Linklayer,NetworkAccesslayer)bytheTCP/IPNetworkModel.
Apacketdestinedforthelocalcomputeraccordingtothebridge(whichworksontheEthernetlayer)isn'tnecessarilydestinedforthelocalcomputeraccordingtotheIPlayer.That'showroutingworks(MACdestinationistherouter,IPdestinationistheactualboxyouwanttocommunicatewith).
Figure2a.Generalframetraversalscheme
TherearesixhooksdefinedintheLinuxbridgingcode,ofwhichtheBROUTINGhookwasaddedforebtables.
Figure2b.Ethernetbridginghooks
Thehooksarespecificplacesinthenetworkcodeonwhichsoftwarecanattachitselftoprocessthepackets/framespassingthatplace.Forexample,thekernelmoduleresponsiblefortheebtablesFORWARDchainisattachedontothebridgeFORWARDhook.Thisisdonewhenthemoduleisloadedintothekerneloratbootup.
NotethattheebtablesBROUTINGandPREROUTINGchainsaretraversedbeforethebridgingdecision,thereforethesechainswillevenseeframesthatwillbeignoredbythebridge.Youshouldtakethatintoaccountwhenusingthischain.Alsonotethatthechainswon'tseeframesenteringonanon-forwardingbridgeport.
Thebridge'sdecisionforaframe(asseenonFigure2b)canbeoneofthese:
12.bridgeit,ifthedestinationMACaddressisonanothersideofthebridge;
13.flooditoveralltheforwardingbridgeports,ifthepositionoftheboxwiththedestinationMACisunknowntothebridge;
14.passittothehigherprotocolcode(theIPcode),ifthedestinationMACaddressisthatofthebridgeorofoneofitsports;
15.ignoreit,ifthedestinationMACaddressislocatedonthesamesideofthebridge.
Figure2c.Bridgingtables(ebtables)traversalprocess
Ebtableshasthreetables:
filter,natandbroute,asshowninFigure2c.
16.ThebroutetablehastheBROUTINGchain.
17.ThefiltertablehastheFORWARD,INPUTandOUTPUTchains.
18.ThenattablehasthePREROUTING,OUTPUTandPOSTROUTINGchains.
ThefilterOUTPUTandnatOUTPUTchainsareseparatedandhaveadifferentusage.
Figures2band2cgiveaclearviewwheretheebtableschainsareattachedontothebridgehooks.
WhenanNICenslavedtoabridgereceivesaframe,theframewillfirstgothroughtheBROUTINGchain.Inthisspecialchainyoucanchoosewhethertorouteorbridgeframes,enablingyoutomakeabrouter.ThedefinitionsfoundontheInternetforwhatabrouteractuallyisdifferabit.ThenextdefinitiondescribesthebroutingabilityusingtheBROUTINGchainquitewell:
Abrouterisadevicethatbridgessomeframes/packets(i.e.forwardsbasedonLinklayerinformation)androutesotherframes/packets(i.e.forwardsbasedonNetworklayerinformation).Thebridge/routedecisionisbasedonconfigurationinformation.
Abroutercanbeused,forexample,toactasanormalrouterforIPtrafficbetween2networks,whilebridgingspecifictraffic(NetBEUI,ARP,whatever)betweenthosenetworks.TheIProutingtabledoesnotusethebridgelogicaldevice,insteadtheboxhasIPaddressesassignedtothephysicalnetworkdevicesthatalsohappentobebridgeports(bridgeenslavedNICs).
ThedefaultdecisionintheBROUTINGchainisbridging.
NexttheframepassesthroughthePREROUTINGchain.InthischainyoucanalterthedestinationMACaddressofframes(DNAT).Iftheframepassesthischain,thebridgingcodewilldecidewheretheframeshouldbesent.ThebridgedoesthisbylookingatthedestinationMACaddress,itdoesn'tcareabouttheNetworkLayeraddresses(e.g.IPaddress).
Ifthebridgedecidestheframeisdestinedforthelocalcomputer,theframewillgothroughtheINPUTchain.Inthischainyoucanfilterframesdestinedforthebridgebox.AftertraversaloftheINPUTchain,theframewillbepasseduptotheNetworkLayercode(e.g.totheIPcode).So,aroutedIPpacketwillgothroughtheebtablesINPUTchain,notthroughtheebtablesFORWARDchain.Thisislogical.
Figure2d.Incomingframe'schaintraversal
Otherwisetheframeshouldpossiblybesentontoanothersideofthebridge.Ifitshould,theframewillgothroughtheFORWARDchainandthePOSTROUTINGchain.ThebridgedframescanbefilteredintheFORWARDchain.InthePOSTROUTINGchainyoucanaltertheMACsourceaddress(SNAT).
Figure2e.Forwardedframe'schaintraversal
Locallyoriginatedframeswill,afterthebridgingdecision,traversethenatOUTPUT,thefilterOUTPUTandthenatPOSTROUTINGchains.ThenatOUTPUTchainallowstoalterthedestinationMACaddressandthefilterOUTPUTchainallowstofilterframesoriginatingfromthebridgebox.NotethatthenatOUTPUTchainistraversedafterthebridgingdecision,sothisisactuallytoolate.Weshouldchangethis.ThenatPOSTROUTINGchainisthesameoneasdescribedabove.
Figure2f.Outgoingframes'chaintraversal
It'salsopossibleforroutedframestogothroughthesethreechainswhenthedestinationdeviceisalogicalbridgedevice.
3.Amachineusedasabridgeandarouter(notabrouter)
HereistheIPcodehooksscheme:
Figure3a.IPcodehooks
Hereistheiptablespackettraversalscheme.
Figure3b.Routingtables(iptables)traversalprocess
NotethattheiptablesnatOUTPUTchainissituatedaftertheroutingdecision.Ascommentedintheprevioussection(whendiscussingebtablesnat),thisistoolateforDNAT.ThisissolvedbyreroutingtheIPpacketifithasbeenDNAT'ed,beforecontinuing.Forclarity:
thisisstandardbehaviouroftheLinuxkernel,notsomethingcausedbyourcode.
Figures3aand3bgiveaclearviewwheretheiptableschainsareattachedontotheIPhooks.Whenthebridgecodeandnetfilterisenabledinthekernel,theiptableschainsarealsoattachedontothehooksofthebridgingcode.However,thisdoesnotmeanthattheyarenolongerattachedontotheirstandardIPcodehooks.ForIPpacketsthatgetintocontactwiththebridgingcode,thebr-nfcodewilldecideinwhichplaceinthenetworkcodetheiptableschainswillbetraversed.Obviously,itisguaranteedthatnochainistraversedtwicebythesamepacket.AllpacketsthatdonotcomeintocontactwiththebridgecodetraversetheiptableschainsinthestandardwayasseeninFigure3b.
Thefollowingsectionstry,amongotherthings,toexplainwhatthebr-nfcodedoesandwhyitdoesit.
It'spossibletoseeasingleIPpacket/frametraversethenatPREROUTING,filterINPUT,natOUTPUT,filterOUTPUTandnatPOSTROUTINGebtableschains.
Thiscanhappenwhenthebridgeisalsousedasarouter.TheEthernetframe(s)containingthatIPpacketwillhavethebridge'sdestinationMACaddress,whilethedestinationIPaddressisnotofthebridge.Includingtheiptableschains,thisishowtheIPpacketrunsthroughthebridge/router(actuallythereismoregoingon,seesection6):
Figure3c.Bridge/routerroutespackettoabridgeinterface(simplisticview)
Thisassumesthattheroutingdecisionsendsthepackettoabridgeinterface.Iftheroutingdecisionsendsthepackettonon-bridgeinterface,thisiswhathappens:
Figure3d.Bridge/routerroutespackettoanon-bridgeinterface(simplisticview)
Figures3cand3dassumetheIPpacketarrivedonabridgeport.Whatisobviously"asymmetric"hereisthattheiptablesPREROUTINGchainistraversedbeforetheebtablesINPUTchain,howeverthiscannotbehelpedwithoutsacrificingfunctionality.Seethenextsection.
4.DNAT'ingbridgedpackets
TakeanIPpacketreceivedbythebridge.Let'sassumewewanttodosomeIPDNATonit.Changingthedestinationaddressofthepacket(IPaddressandMACaddress)hastohappenbeforethebridgecodedecides