Welcome!

Linux Containers Authors: Elizabeth White, Liz McMillan, Vaibhaw Pandey, Pat Romanski, Yeshim Deniz

Related Topics: Linux Containers

Linux Containers: Article

Cover Story: Stealth Firewalling with Linux

Ever Needed to Set Up a Firewall in a Network Without Anyone Knowing It?

Have you ever needed to set up a firewall in a network without anyone knowing it was there or so that it wouldn't require you to change your network? Welcome to the world of stealth firewalling. We dedicated one chapter in our book, Troubleshooting Linux Firewalls, to it but honestly the topic has so many uses, to do it justice it really needs its own book (or books!).

What Is Stealth Firewalling with Linux?

Simply put, a stealth firewall is an Ethernet bridge with filtering capabilities. This means that it's a firewall that operates at Layer 2 of the OSI model, leveraging netfilter rules and chains (Linux's firewall system) applied to the bridge. For those not familiar with what a bridge is: an Ethernet bridge is a means of connecting two or more networks/devices at the Data Link layer. The Data Link layer is the layer of the OSI model before the Network Layer (Layer 3). Layer 3 is where things like the IP in TCP/IP come into the picture. This means that a bridge operates before we get into things like protocols, so you can apply firewalling to protocols other than IP (IPX, DECnet, SNA, etc.) and you don't have to worry about routing issues either. You're moving raw frames from one interface to another, which lets you deploy your stealth firewall without anyone being the wiser. Another advantage of a stealth firewall is that if the hardware fails or malfunctions, you can bypass it with nothing more than a network cable.

How Does a Bridge Work?

A bridge operates in promiscuous mode, grabbing all the packets it sees on its interfaces, learns which MAC addresses apply to which interfaces, and moves packets between those interfaces. One example of a bridge that many are familiar with is the humble network switch, wherein all the interfaces on a switch comprise one bridge. With Linux, when you create a bridge you are combining two or more interfaces into one bridge. For instance, we'll create a bridge, br0, that is made up of two interfaces, eth0 and eth1. Think of br0 as a set that contains two elements, eth0 and eth1. When the two interfaces are added to the bridge, the kernel will then move packets back and forth automatically between those two interfaces as if they were both part of the same physical network.

A Brief Explanation of Netfilter
Netfilter, if you're not familiar with it, is Linux's packet filtering system introduced in the 2.4 kernel and continued into 2.6. The netfilter system is manipulated by the userspace tool, iptables, and can also be manipulated by other tools. We only point this out because iptables is sometimes thought to be the only mechanism for controlling the kernel's filtering capabilities, but it's not.

Thanks to the flexibility of the netfilter subsystem and the way it handles packets, we can use it to apply firewall rules to network traffic, even if the device is not operating at the IP layer. The subsystem doesn't actually care; it can apply firewall rules to whatever traffic passes through it. To help explain this, Figure 1 shows which netfilter rules are applied to the bridge interface, and the order in which they are applied for traffic flowing from eth0 to eth1 over the bridge.

What This Means in Practical Terms

You can put a firewall in place without anyone knowing it's there or making any IP topology changes. For example, at the California Community Colocation Project (www.communitycolo.net), we used a bridging/stealth firewall to filter out worm traffic entering and exiting the network. This was done in such a way that there was no interruption for the users of the network, no need to change the routing tables or to even muck about with IP issues, and it required only some basic physical wiring changes. The use of a stealthy firewall such as this leads to all sorts of interesting alternative applications outside of just basic firewalling, such as stealth proxies, traffic-shaping devices, anti-spam/virus filtering, and stealth IDS/IPS systems. The key advantage for the firewall administrator is that you can deploy a fairly paranoid firewall setup without having to make any changes to your network, and failing over, as previously mentioned, is as simple as plugging in a patch cable.

How Do I Set One Up?

We're using Fedora Core 3 for our demonstration environment, but the following should apply to nearly any modern Linux distribution running a 2.6 kernel. You can also do this with a 2.4 kernel, but for brevity's sake we're going to stick with the screaming edge. It's more fun that way. First, we need to make sure our kernels support both bridging and Layer 2 filtering in netfilter. If you're running FC3 with the default kernel, you can skip this next bit; this is for those of you running custom 2.6 kernels or other distributions that don't include this functionality by default. To enable bridging and Layer 2 filtering, you'll need to make sure the following settings are configured in your kernel to support ebtables.


Device Drivers
  Networking Support
    Networking Options --->
      <M> 802.1d Ethernet Bridging
      [*] Network packet filtering (replaces ipchains)  --->
        [*]   Bridged IP/ARP packets filtering
        Bridge: Netfilter Configuration  --->
          <M> Ethernet Bridge tables (ebtables) support
            <M>   ebt: broute table support (NEW)
            <M>   ebt: filter table support (NEW)
            <M>   ebt: nat table support (NEW)
            <M>   ebt: 802.3 filter support (NEW)
            <M>   ebt: among filter support (NEW)
            <M>   ebt: ARP filter support (NEW)
            <M>   ebt: IP filter support (NEW)
            <M>   ebt: limit match support (NEW)
            <M>   ebt: mark filter support (NEW)
            <M>   ebt: packet type filter support (NEW)
            <M>   ebt: STP filter support (NEW)
            <M>   ebt: 802.1Q VLAN filter support (NEW)
            <M>   ebt: arp reply target support (NEW)
            <M>   ebt: dnat target support (NEW)
            <M>   ebt: mark target support (NEW)
            <M>   ebt: redirect target support (NEW)
            <M>   ebt: snat target support (NEW)
            <M>   ebt: log support (NEW)

You may also need to install ebtables for your distribution. The userspace ebtables utility and 2.4 kernel patches are available at http://sf.net/projects/ebtables and from our Web site - www.gotroot.com.

Next we need to set up our firewall, in this case it's named Minimoose (kudos to those of you who get this reference), to bridge traffic between our network, 10.10.10.0/24, and our gateway, 10.10.10.1. The goal is to put Minimoose between the network and the gateway device. We start this process by first configuring Minimoose's interfaces to act as a bridge. This is accomplished by using the userspace tool, brctl, to set up the bridged interfaces and to "capture" them. In this hypothetical example, Minimoose has two interfaces. One is pointing at the gateway router, which has an IP address 10.10.10.1 and is reached via ethernet interface eth0. Minimoose's other interface, eth1, is facing the actual 10.10.10.0/24 network. Remember, the bridge does not need any IP addresses. It's going to "bridge" the traffic between these two points, allowing traffic to move from the 10.10.10.0/24 network to the gateway router, 10.10.10.1, and vice versa as defined by the firewall rules on Minimoose. The first step, as already explained, is to set up the interfaces on Minimoose and to configure it as a bridge:

1.  Create the logical interface in the kernel, which is called br0.

[[email protected] root]# brctl addbr br0

2.  Add the left interface, eth0, that connects to the 10.10.10.1 gateway.

[[email protected] root]# brctl addif br0 eth0

3.  Add the right interface, eth1, that connects to the 10.10.10.0/24 network.

[[email protected] root]# brctl addif br0 eth1

4.  Activate the bridged interfaces by bringing up the two real interfaces.

[[email protected] root]# ifconfig eth0 0.0.0.0 promisc up
[[email protected] root]# ifconfig eth1 0.0.0.0 promisc up

At this point your bridge is working.

As you have probably surmised, Minimoose doesn't even have an IP address for itself. Although it's probably a good idea to add an IP address to one of those interfaces for management reasons, you don't have to in most instances. For example, you could just as easily connect this device to a serial console, or add another interface and run an "Out of Band" network just for admining your stealth firewall, or something like that if you're über paranoid.

Figure 2 shows our network, 10.10.10.0/ 24, before we put our firewall in place.

Now we put our firewall, Minimoose, in place as shown in Figure 3.

With traffic passing from 10.10.10.0/24 to the gateway through Minimoose, it's time to do something interesting with the firewall. Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the 10.10.10.0/24 network. These rules also allow traffic to move in both directions, not just from the 10.10.10.0/24 network outward, but also from the gateway back into the 10.10.10.0/24 network. This listing will help illustrate the stealthy nature of this configuration; neither the hosts on the 10.10.10/24 network nor the gateway will "see" any changes in the network, except that SMB traffic is not flowing between the two.

In the previous example you can see that applying firewall rules to Layer 3 (IP) traffic works exactly the same as it does with a normal firewall, that is we need to apply those rules to the FORWARD table, and of course make sure you enable ip_forwarding on our firewall for this example to work:

echo 1 > /proc/sys/net/ipv4/ip_forward

Another application of a stealth firewall would be to act as a transparent proxy server. We frequently add squid to our firewalls for performance reasons and this next example shows how to configure the squid Web proxy cache server for your stealth firewall. The good news is that setting this up is easy; the bad news is that it requires adding an IP address to the stealth firewall and, because of this, your firewall will not be as stealthy as you might like, as Web requests will be seen as if they were coming from the bridge's IP address and, of course, your bridge will now have an IP address. Keep in mind, this doesn't mean that other traffic will appear to come from the bridge's IP address or that you need to change any default routes on your network. The stealth firewall will just be seen as another node on your network, not as a router. The steps to set this up are:

1.  Install squid and configure squid.conf to allow connections from localhost. This is typically the default configuration for squid. The steps to do this are beyond the scope of this article, but if you are having problems, please visit our Web site for documentation: www.gotroot.com.

2.  Add an IP address to your bridge interface, if you haven't already done so. In the commands that follow, replace the variable $MANAGEMENTIP with the IP address you intend to assign to your bridge, and the $MANAGEMENTGATEWAY variable with the gateway address for your network.

ifconfig br0 $MANAGEMENTIP
route add default gw $MANAGEMENTGATEWAY

3.  Finally, add the following two rules to your firewall:

iptables -A INPUT -i <internal interface on bridge, such as eth1> -p tcp -d $MANAGEMENTIP -s
10.10.10.0/24 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t nat -A PREROUTING -i <internal interface on bridge, such as eth1> -s 10.10.10.0/24 -p
tcp --dport 80 -j REDIRECT --to-port 3128

Your stealth firewall is now configured to grab all the port 80 traffic coming from our hypothetical stealth firewall's internal network, 10.10.10.0/24. Redirect it to squid, and then allow squid to request and cache the documents. Again, all Web requests will now come from the bridge's IP address.

Hopefully this brief introduction to stealth firewalls has encouraged you to think up your own ways to use them in your environment. Stealth firewalls are a fantastic and reliable tool for any network or security administrator. They're easy to set up, can be more secure than classic IP firewalls, and because they require no routing and don't have to be integrated into the network's routing scheme, they are actually less of a risk to a network, from a point-of-failure perspective, than a traditional IP firewall.

As we already mentioned, if the stealth firewall fails, just run a patch cable around it. Of course, this eliminates your firewall and we don't want that. The good news is that there's an easy solution to that problem as well, and it allows you to create a fully automatic failover between two or more stealth firewalls. The better news is that this is already built into Linux and is very robust, but that discussion is for another time.

More Stories By Michael Shinn

Michael is the Managing Partner for the Prometheus Group
(http://www.progllc.com), an Information Technology Services and Products firm specializing in securing and managing IT for their government and commercial customers. Previous to founding the Prometheus Group, he co-founded Plesk, Inc. which makes server management software designed to simplify the full range of user and
administrator management and configuration tasks. Michael also worked for Cisco Systems, the Wheelgroup Corporation and The White House.

More Stories By Scott R. Shinn

Scott Shinn co-founded Plesk, a server management firm. He was formerly a senior network security engineer specializing in penetration testing for Fortune 50 clients at Wheelgroup, a firm later acquired by Cisco.

Comments (6) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
Michael Shinn 03/16/05 03:00:05 PM EST

Not sure why the left Figure one out, but here it is from the source link:

Listing 1
#!/bin/bash

IPTABLES=/sbin/iptables
IFCONFIG=/sbin/ifconfig
BRCTL=/usr/sbin/brctl
ROUTE=/sbin/route

MANAGEMENTIP=10.10.10.51
MANAGEMENTGATEWAY=10.10.10.1

# shut down our Ethernet devices
$IFCONFIG eth0 down
$IFCONFIG eth1 down

# bring the Ethernet devices back up with no IP addresses
$IFCONFIG eth0 up 0.0.0.0
$IFCONFIG eth1 up 0.0.0.0

# create our bridge device, and add our Ethernet devices
$BRCTL addbr br0
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1

# add an IP address to the bridge device, this is for management purposes only
$IFCONFIG br0 $MANAGEMENTIP
$ROUTE add default gw $MANAGEMENTGATEWAY

# now for our firewall rules

# note that when bridging these rules are applied against
# the FORWARD chain

#Allow already established connections and related packets to be forwarded
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#Stealthly drop SMB traffic - this is just an example of a protocol you could
#drop.

$IPTABLES -A FORWARD -p all -sport 135 -j DROP
$IPTABLES -A FORWARD -p all -dport 135 -j DROP
$IPTABLES -A FORWARD -p all -sport 137 -j DROP
$IPTABLES -A FORWARD -p all -dport 137 -j DROP
$IPTABLES -A FORWARD -p all -sport 138 -j DROP
$IPTABLES -A FORWARD -p all -dport 138 -j DROP
$IPTABLES -A FORWARD -p all -sport 139 -j DROP
$IPTABLES -A FORWARD -p all -dport 139 -j DROP

#Allow all other traffic out from the 10.10.10.0/24 network
$IPTABLES -A FORWARD -i eth1 -o eth0 -s 10.10.10.0/24 -m state -state NEW -j ACCEPT

#Allow traffic in to the 10.10.10.0/24 networking
$IPTABLES -A FORWARD -i eth0 -o eth1 -d 10.10.10.0/24 -m state -state NEW -j ACCEPT

vs 03/06/05 07:40:56 AM EST

stealth firewall articles are written in may web sites, but
failover stealth-firewall isn't written, like this !

Eric 03/04/05 11:59:03 AM EST

To John: I see no link "Source" at the bottom of the article at either this site (linuxworld.com) nor at gootroot's web site. Would you mind pasting the link into your reply?

baggy 03/01/05 10:18:54 AM EST

I wish more people knew about this stuff. It really gets on my nerves when people think nat is more secure than IP6 becaue you can do inbound routing properly with IP6.

This article shows that you can still have the equivalent of your NAT box in an IP6 environment, only it's vastly more secure because the firewall box doesn't have an IP address at all and therefore cannot be targetted.

John 02/24/05 09:44:37 PM EST

To Eric, I found the example script, Listing 1, at the link "Source" at the bottom of the article (online).

Eric 02/20/05 05:52:17 PM EST

Where is:
"Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the 10.10.10.0/24 network."

Where is Listing 1?????????????????????????

What sucks is that I purchased a copy of the magazine, then found this article on-line with the same freakin error!

@ThingsExpo Stories
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...