Poor Mans Firewall

A firewall that can be setup and

implemented with a minimum amount of
time and money.

Why do I need one?

A Windows server can not be secured as it
stands. Dont believe anyone who tells you
otherwise.
MSSQL server should never be placed directly
on the Internet.
And yes, some people do have too much time
on their hands. Anyone remember the Blaster
worm?

OSI Model Lower Layers

Lower layers provide more primitive
network-specific functions like routing,
addressing, and flow control.
Layer II - (Data Link Layer) of the OSI
Model
Layer III - (Network Layer) of the OSI
Model

Switch/Hub (Layer II)

Switches and Hubs are used to connect various
devices to a network.
Switches are intelligent, they look at the source
and destination of each packet and route them
to the appropriate switch port.
Hubs are dumb devices that present a copy of
each packet that is seen to every other port on
the device.

Bridge (Layer II)

A device that can be used to segment Local
Area Networks (LANs).
They can be used to control the traffic going
between two network segments based on
Ethernet addresses.

They are essentially transparent devices. They

can be replaced with a cross-over cable.

Router (Layer III)

A network device used for connecting
different networks together.
They are responsible for intelligently
routing packets based on IP address.

Firewall
A firewall filters packets based on a set of filter
rules.
Packets that pass the rule set are forwarded
through the firewall from one network interface
to another. Packets that dont, are dropped.

Firewalls can be either Software or Hardware

based.

Bridging Mode Firewalls

A bridge that allows you to filter the
packets that pass through its interfaces.
Can be placed anywhere in an existing
network without disrupting existing
services.
Transparent to your servers.

Linux Bridging Mode Firewall

A software based firewall that uses Linux
as the operating system.
The software is free.
Relatively easy to setup.
Can run on old hardware.

Software Needed
Iptables Software that filters IP based
traffic based on a set of rules.
Ebtables Software that allows Iptables to
see the packets as they go through the
Bridge interface.

Bridge-Utils Software that allows you to

create the bridge.

Hardware Needed
Any old Pentium based computer
128MB of RAM
~1GB Harddrive
2 - Network Cards (Minimum)

Example Bridge Script

#!/bin/bash
# /etc/rc.d/init.d/bridge

BRCTL=/usr/sbin/brctl
IFCONFIG=/sbin/ifconfig

$BRCTL show
echo -e "$return"
;;

return=$rc_done
case "$1" in
start)
echo "Starting service bridge br0"
# Create bridge interface
$BRCTL addbr br0 || return=$rc_failed
# Turn Spanning Tree Protocall off
$BRCTL stp br0 off || return=$rc_failed
# Add interfaces to bridge
$BRCTL addif br0 eth1 || return=$rc_failed
$BRCTL addif br0 eth2 || return=$rc_failed
# Reset to clean state
$IFCONFIG eth1 down || return=$rc_failed
$IFCONFIG eth2 down || return=$rc_failed
# Set interfaces to Promiscuous Mode
$IFCONFIG eth1 0.0.0.0 promisc || return=$rc_failed
$IFCONFIG eth2 0.0.0.0 promisc || return=$rc_failed
#Bring bridge interface up
$IFCONFIG br0 promisc up || return=$rc_failed

stop)
echo "Shutting down service bridge br0"
$IFCONFIG br0 down || return=$rc_failed
$BRCTL delif br0 eth1 || return=$rc_failed
$BRCTL delif br0 eth2 || return=$rc_failed
$BRCTL delbr br0 || return=$rc_failed
echo -e "$return"
;;
status)
$IFCONFIG br0
$BRCTL show
;;
restart)
$0 stop && $0 start || return=$rc_failed
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
test "$return" = "$rc_done" || exit 1
exit 0

Example Filter Rules

#!/bin/bash
# Example Firewall Script
IPTABLES="/sbin/iptables -v"
# Any Subnet
ANY=0.0.0.0/0
# ILLIAD Server
ILLIAD=128.193.123.456
#### Flush all rules
$IPTABLES -F
# Delete all user created chains
$IPTABLES -X
# Zero all byte counters
$IPTABLES -Z
# Drop all packets without a rule
$IPTABLES -P FORWARD DROP
# loopback interface
$IPTABLES -A FORWARD -i lo -j ACCEPT
# Syn-flood protection:
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Ping of death:
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
# HTTP
$IPTABLES -A FORWARD -s $ILLIAD -d $ANY -p tcp --dport 80 -m state -state NEW -j ACCEPT
$IPTABLES -A FORWARD -s $ANY -d $ILLIAD -p tcp --sport 80 -m state -state ESTABLISHED -j ACCEPT

Useful Application
Ethereal A powerful network protocol/packet
analyzer that can be used to aid in the development
of your filter rules.

Resources
Linux bridging how-to
http://bridge.sourceforge.net
Ebtables
http://ebtables.sourceforge.net

Ethereal
http://www.ethereal.com/