Click here to close now.


Linux Containers Authors: Greg O'Connor, Liz McMillan, JP Morgenthal, John Grimm, Elizabeth White

Related Topics: Linux Containers

Linux Containers: Article

Cover Story: Stealth Firewalling with Linux

Ever Needed to Set Up a Firewall in a Network Without Anyone Knowing It?

Have you ever needed to set up a firewall in a network without anyone knowing it was there or so that it wouldn't require you to change your network? Welcome to the world of stealth firewalling. We dedicated one chapter in our book, Troubleshooting Linux Firewalls, to it but honestly the topic has so many uses, to do it justice it really needs its own book (or books!).

What Is Stealth Firewalling with Linux?

Simply put, a stealth firewall is an Ethernet bridge with filtering capabilities. This means that it's a firewall that operates at Layer 2 of the OSI model, leveraging netfilter rules and chains (Linux's firewall system) applied to the bridge. For those not familiar with what a bridge is: an Ethernet bridge is a means of connecting two or more networks/devices at the Data Link layer. The Data Link layer is the layer of the OSI model before the Network Layer (Layer 3). Layer 3 is where things like the IP in TCP/IP come into the picture. This means that a bridge operates before we get into things like protocols, so you can apply firewalling to protocols other than IP (IPX, DECnet, SNA, etc.) and you don't have to worry about routing issues either. You're moving raw frames from one interface to another, which lets you deploy your stealth firewall without anyone being the wiser. Another advantage of a stealth firewall is that if the hardware fails or malfunctions, you can bypass it with nothing more than a network cable.

How Does a Bridge Work?

A bridge operates in promiscuous mode, grabbing all the packets it sees on its interfaces, learns which MAC addresses apply to which interfaces, and moves packets between those interfaces. One example of a bridge that many are familiar with is the humble network switch, wherein all the interfaces on a switch comprise one bridge. With Linux, when you create a bridge you are combining two or more interfaces into one bridge. For instance, we'll create a bridge, br0, that is made up of two interfaces, eth0 and eth1. Think of br0 as a set that contains two elements, eth0 and eth1. When the two interfaces are added to the bridge, the kernel will then move packets back and forth automatically between those two interfaces as if they were both part of the same physical network.

A Brief Explanation of Netfilter
Netfilter, if you're not familiar with it, is Linux's packet filtering system introduced in the 2.4 kernel and continued into 2.6. The netfilter system is manipulated by the userspace tool, iptables, and can also be manipulated by other tools. We only point this out because iptables is sometimes thought to be the only mechanism for controlling the kernel's filtering capabilities, but it's not.

Thanks to the flexibility of the netfilter subsystem and the way it handles packets, we can use it to apply firewall rules to network traffic, even if the device is not operating at the IP layer. The subsystem doesn't actually care; it can apply firewall rules to whatever traffic passes through it. To help explain this, Figure 1 shows which netfilter rules are applied to the bridge interface, and the order in which they are applied for traffic flowing from eth0 to eth1 over the bridge.

What This Means in Practical Terms

You can put a firewall in place without anyone knowing it's there or making any IP topology changes. For example, at the California Community Colocation Project (, we used a bridging/stealth firewall to filter out worm traffic entering and exiting the network. This was done in such a way that there was no interruption for the users of the network, no need to change the routing tables or to even muck about with IP issues, and it required only some basic physical wiring changes. The use of a stealthy firewall such as this leads to all sorts of interesting alternative applications outside of just basic firewalling, such as stealth proxies, traffic-shaping devices, anti-spam/virus filtering, and stealth IDS/IPS systems. The key advantage for the firewall administrator is that you can deploy a fairly paranoid firewall setup without having to make any changes to your network, and failing over, as previously mentioned, is as simple as plugging in a patch cable.

How Do I Set One Up?

We're using Fedora Core 3 for our demonstration environment, but the following should apply to nearly any modern Linux distribution running a 2.6 kernel. You can also do this with a 2.4 kernel, but for brevity's sake we're going to stick with the screaming edge. It's more fun that way. First, we need to make sure our kernels support both bridging and Layer 2 filtering in netfilter. If you're running FC3 with the default kernel, you can skip this next bit; this is for those of you running custom 2.6 kernels or other distributions that don't include this functionality by default. To enable bridging and Layer 2 filtering, you'll need to make sure the following settings are configured in your kernel to support ebtables.

Device Drivers
  Networking Support
    Networking Options --->
      <M> 802.1d Ethernet Bridging
      [*] Network packet filtering (replaces ipchains)  --->
        [*]   Bridged IP/ARP packets filtering
        Bridge: Netfilter Configuration  --->
          <M> Ethernet Bridge tables (ebtables) support
            <M>   ebt: broute table support (NEW)
            <M>   ebt: filter table support (NEW)
            <M>   ebt: nat table support (NEW)
            <M>   ebt: 802.3 filter support (NEW)
            <M>   ebt: among filter support (NEW)
            <M>   ebt: ARP filter support (NEW)
            <M>   ebt: IP filter support (NEW)
            <M>   ebt: limit match support (NEW)
            <M>   ebt: mark filter support (NEW)
            <M>   ebt: packet type filter support (NEW)
            <M>   ebt: STP filter support (NEW)
            <M>   ebt: 802.1Q VLAN filter support (NEW)
            <M>   ebt: arp reply target support (NEW)
            <M>   ebt: dnat target support (NEW)
            <M>   ebt: mark target support (NEW)
            <M>   ebt: redirect target support (NEW)
            <M>   ebt: snat target support (NEW)
            <M>   ebt: log support (NEW)

You may also need to install ebtables for your distribution. The userspace ebtables utility and 2.4 kernel patches are available at and from our Web site -

Next we need to set up our firewall, in this case it's named Minimoose (kudos to those of you who get this reference), to bridge traffic between our network,, and our gateway, The goal is to put Minimoose between the network and the gateway device. We start this process by first configuring Minimoose's interfaces to act as a bridge. This is accomplished by using the userspace tool, brctl, to set up the bridged interfaces and to "capture" them. In this hypothetical example, Minimoose has two interfaces. One is pointing at the gateway router, which has an IP address and is reached via ethernet interface eth0. Minimoose's other interface, eth1, is facing the actual network. Remember, the bridge does not need any IP addresses. It's going to "bridge" the traffic between these two points, allowing traffic to move from the network to the gateway router,, and vice versa as defined by the firewall rules on Minimoose. The first step, as already explained, is to set up the interfaces on Minimoose and to configure it as a bridge:

1.  Create the logical interface in the kernel, which is called br0.

[root@minimoose root]# brctl addbr br0

2.  Add the left interface, eth0, that connects to the gateway.

[root@minimoose root]# brctl addif br0 eth0

3.  Add the right interface, eth1, that connects to the network.

[root@minimoose root]# brctl addif br0 eth1

4.  Activate the bridged interfaces by bringing up the two real interfaces.

[root@minimoose root]# ifconfig eth0 promisc up
[root@minimoose root]# ifconfig eth1 promisc up

At this point your bridge is working.

As you have probably surmised, Minimoose doesn't even have an IP address for itself. Although it's probably a good idea to add an IP address to one of those interfaces for management reasons, you don't have to in most instances. For example, you could just as easily connect this device to a serial console, or add another interface and run an "Out of Band" network just for admining your stealth firewall, or something like that if you're über paranoid.

Figure 2 shows our network, 24, before we put our firewall in place.

Now we put our firewall, Minimoose, in place as shown in Figure 3.

With traffic passing from to the gateway through Minimoose, it's time to do something interesting with the firewall. Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the network. These rules also allow traffic to move in both directions, not just from the network outward, but also from the gateway back into the network. This listing will help illustrate the stealthy nature of this configuration; neither the hosts on the 10.10.10/24 network nor the gateway will "see" any changes in the network, except that SMB traffic is not flowing between the two.

In the previous example you can see that applying firewall rules to Layer 3 (IP) traffic works exactly the same as it does with a normal firewall, that is we need to apply those rules to the FORWARD table, and of course make sure you enable ip_forwarding on our firewall for this example to work:

echo 1 > /proc/sys/net/ipv4/ip_forward

Another application of a stealth firewall would be to act as a transparent proxy server. We frequently add squid to our firewalls for performance reasons and this next example shows how to configure the squid Web proxy cache server for your stealth firewall. The good news is that setting this up is easy; the bad news is that it requires adding an IP address to the stealth firewall and, because of this, your firewall will not be as stealthy as you might like, as Web requests will be seen as if they were coming from the bridge's IP address and, of course, your bridge will now have an IP address. Keep in mind, this doesn't mean that other traffic will appear to come from the bridge's IP address or that you need to change any default routes on your network. The stealth firewall will just be seen as another node on your network, not as a router. The steps to set this up are:

1.  Install squid and configure squid.conf to allow connections from localhost. This is typically the default configuration for squid. The steps to do this are beyond the scope of this article, but if you are having problems, please visit our Web site for documentation:

2.  Add an IP address to your bridge interface, if you haven't already done so. In the commands that follow, replace the variable $MANAGEMENTIP with the IP address you intend to assign to your bridge, and the $MANAGEMENTGATEWAY variable with the gateway address for your network.

ifconfig br0 $MANAGEMENTIP
route add default gw $MANAGEMENTGATEWAY

3.  Finally, add the following two rules to your firewall:

iptables -A INPUT -i <internal interface on bridge, such as eth1> -p tcp -d $MANAGEMENTIP -s --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t nat -A PREROUTING -i <internal interface on bridge, such as eth1> -s -p
tcp --dport 80 -j REDIRECT --to-port 3128

Your stealth firewall is now configured to grab all the port 80 traffic coming from our hypothetical stealth firewall's internal network, Redirect it to squid, and then allow squid to request and cache the documents. Again, all Web requests will now come from the bridge's IP address.

Hopefully this brief introduction to stealth firewalls has encouraged you to think up your own ways to use them in your environment. Stealth firewalls are a fantastic and reliable tool for any network or security administrator. They're easy to set up, can be more secure than classic IP firewalls, and because they require no routing and don't have to be integrated into the network's routing scheme, they are actually less of a risk to a network, from a point-of-failure perspective, than a traditional IP firewall.

As we already mentioned, if the stealth firewall fails, just run a patch cable around it. Of course, this eliminates your firewall and we don't want that. The good news is that there's an easy solution to that problem as well, and it allows you to create a fully automatic failover between two or more stealth firewalls. The better news is that this is already built into Linux and is very robust, but that discussion is for another time.

More Stories By Michael Shinn

Michael is the Managing Partner for the Prometheus Group
(, an Information Technology Services and Products firm specializing in securing and managing IT for their government and commercial customers. Previous to founding the Prometheus Group, he co-founded Plesk, Inc. which makes server management software designed to simplify the full range of user and
administrator management and configuration tasks. Michael also worked for Cisco Systems, the Wheelgroup Corporation and The White House.

More Stories By Scott R. Shinn

Scott Shinn co-founded Plesk, a server management firm. He was formerly a senior network security engineer specializing in penetration testing for Fortune 50 clients at Wheelgroup, a firm later acquired by Cisco.

Comments (6) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Michael Shinn 03/16/05 03:00:05 PM EST

Not sure why the left Figure one out, but here it is from the source link:

Listing 1



# shut down our Ethernet devices
$IFCONFIG eth0 down
$IFCONFIG eth1 down

# bring the Ethernet devices back up with no IP addresses
$IFCONFIG eth0 up
$IFCONFIG eth1 up

# create our bridge device, and add our Ethernet devices
$BRCTL addbr br0
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1

# add an IP address to the bridge device, this is for management purposes only

# now for our firewall rules

# note that when bridging these rules are applied against
# the FORWARD chain

#Allow already established connections and related packets to be forwarded

#Stealthly drop SMB traffic - this is just an example of a protocol you could

$IPTABLES -A FORWARD -p all -sport 135 -j DROP
$IPTABLES -A FORWARD -p all -dport 135 -j DROP
$IPTABLES -A FORWARD -p all -sport 137 -j DROP
$IPTABLES -A FORWARD -p all -dport 137 -j DROP
$IPTABLES -A FORWARD -p all -sport 138 -j DROP
$IPTABLES -A FORWARD -p all -dport 138 -j DROP
$IPTABLES -A FORWARD -p all -sport 139 -j DROP
$IPTABLES -A FORWARD -p all -dport 139 -j DROP

#Allow all other traffic out from the network
$IPTABLES -A FORWARD -i eth1 -o eth0 -s -m state -state NEW -j ACCEPT

#Allow traffic in to the networking
$IPTABLES -A FORWARD -i eth0 -o eth1 -d -m state -state NEW -j ACCEPT

vs 03/06/05 07:40:56 AM EST

stealth firewall articles are written in may web sites, but
failover stealth-firewall isn't written, like this !

Eric 03/04/05 11:59:03 AM EST

To John: I see no link "Source" at the bottom of the article at either this site ( nor at gootroot's web site. Would you mind pasting the link into your reply?

baggy 03/01/05 10:18:54 AM EST

I wish more people knew about this stuff. It really gets on my nerves when people think nat is more secure than IP6 becaue you can do inbound routing properly with IP6.

This article shows that you can still have the equivalent of your NAT box in an IP6 environment, only it's vastly more secure because the firewall box doesn't have an IP address at all and therefore cannot be targetted.

John 02/24/05 09:44:37 PM EST

To Eric, I found the example script, Listing 1, at the link "Source" at the bottom of the article (online).

Eric 02/20/05 05:52:17 PM EST

Where is:
"Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the network."

Where is Listing 1?????????????????????????

What sucks is that I purchased a copy of the magazine, then found this article on-line with the same freakin error!

@ThingsExpo Stories
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical to maintaining positive ROI. Raxak Protect is an automated security compliance SaaS platform and ma...
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data shows "less than 10 percent of IoT developers are making enough to support a reasonably sized team....
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound cha...
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Summit, Charles Kendrick, CTO and Chief Architect at Isomorphic Software, demonstrated examples of com...
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningful and actionable insights. In his session at @ThingsExpo, Paul Turner, Chief Marketing Officer at...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
In his General Session at 17th Cloud Expo, Bruce Swann, Senior Product Marketing Manager for Adobe Campaign, explored the key ingredients of cross-channel marketing in a digital world. Learn how the Adobe Marketing Cloud can help marketers embrace opportunities for personalized, relevant and real-time customer engagement across offline (direct mail, point of sale, call center) and digital (email, website, SMS, mobile apps, social networks, connected objects).
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessions, I wanted to share some of my observations on emerging trends. As cyber security serves as a fou...
The Internet of Everything is re-shaping technology trends–moving away from “request/response” architecture to an “always-on” Streaming Web where data is in constant motion and secure, reliable communication is an absolute necessity. As more and more THINGS go online, the challenges that developers will need to address will only increase exponentially. In his session at @ThingsExpo, Todd Greene, Founder & CEO of PubNub, exploreed the current state of IoT connectivity and review key trends and technology requirements that will drive the Internet of Things from hype to reality.
With all the incredible momentum behind the Internet of Things (IoT) industry, it is easy to forget that not a single CEO wakes up and wonders if “my IoT is broken.” What they wonder is if they are making the right decisions to do all they can to increase revenue, decrease costs, and improve customer experience – effectively the same challenges they have always had in growing their business. The exciting thing about the IoT industry is now these decisions can be better, faster, and smarter. Now all corporate assets – people, objects, and spaces – can share information about themselves and thei...
Continuous processes around the development and deployment of applications are both impacted by -- and a benefit to -- the Internet of Things trend. To help better understand the relationship between DevOps and a plethora of new end-devices and data please welcome Gary Gruver, consultant, author and a former IT executive who has led many large-scale IT transformation projects, and John Jeremiah, Technology Evangelist at Hewlett Packard Enterprise (HPE), on Twitter at @j_jeremiah. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true change and transformation possible.
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound effect on the world, and what should we expect to see over the next couple of years.
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" in this scenario: microservice A (releases daily) depends on a couple of additions to backend B (re...
The cloud. Like a comic book superhero, there seems to be no problem it can’t fix or cost it can’t slash. Yet making the transition is not always easy and production environments are still largely on premise. Taking some practical and sensible steps to reduce risk can also help provide a basis for a successful cloud transition. A plethora of surveys from the likes of IDG and Gartner show that more than 70 percent of enterprises have deployed at least one or more cloud application or workload. Yet a closer inspection at the data reveals less than half of these cloud projects involve production...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, wil...
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNub’s Data Stream Network.