Hack 65. Protect Your Bridge with a Firewall
Maintain control over your Layer 2 bridge with iptables and ebtables.
As shown in "Bridge Your Linux AP" [Hack #64], creating a Linux Ethernet-to-wireless bridge is straightforward. While this allows for easy integration with your existing network, it isn't always the best decision from a security point of view. Rather than simply connect two networks together at Layer 2, wouldn't it be nice to be able to tightly control the flow of packets between the two networks?
In 2.4.x kernels when 802.1d bridging was in effect, the netfilter/iptables code never saw bridged packets. In order to make traffic visible to standard firewall tools, you had to patch your kernel. Fortunately, the code (referred to as bridge-nf) and the user-space binary (ebtables) are now a part of the 2.6 kernel series.
While third-party packages are available for Fedora Core, we were not able to get them or the source code (available at http://ebtables.sourceforge.net) to compile. So, this hack concentrates on Ubuntu Linux. However, ebtables should work with any 2.6 kernel.
Bridge-nf is part of the 2.6 kernel, so all you need to do is add the user-space binary package:
sudo apt-get install ebtables
With the binary installed, you can now manipulate the firewall exactly as you would expect using iptables. You can also use ebtables to do all sorts of interesting things at the MAC layer. For example, to ignore all traffic from a given IP that doesn't match a known MAC address, you could try this:
ebtables -A FORWARD -p IPv4 --ip-src 10.15.6.10 -s ! 00:30:65:FF:AA:BB -j DROP
This prevents other users from camping on known IP addresses. While it won't help much with MAC spoofing attacks, this will help keep average users from stepping on other people's IP addresses. You can also use it in reverse to lock a MAC address into a particular IP:
ebtables -A FORWARD -p IPv4 --ip-src ! 10.15.6.10 -s 00:30:65:FF:AA:BB -j DROP
This will prohibit the machine with the specified MAC address from using any IP but 10.15.6.10.
These are just a couple of examples of the power and flexibility of ebtables. You can also do all sorts of other neat things, such as MAC redirection and NAT, or filter on protocol types. (Need to drop all IPv6 traffic? No problem!) For more information, check out the ebtables web site as well as man ebtables.