Linux Containers Authors: Liz McMillan, Pat Romanski, Hollis Tibbetts, Derek Weeks, Yeshim Deniz

Related Topics: Linux Containers

Linux Containers: Article

Cover Story: Stealth Firewalling with Linux

Ever Needed to Set Up a Firewall in a Network Without Anyone Knowing It?

Have you ever needed to set up a firewall in a network without anyone knowing it was there or so that it wouldn't require you to change your network? Welcome to the world of stealth firewalling. We dedicated one chapter in our book, Troubleshooting Linux Firewalls, to it but honestly the topic has so many uses, to do it justice it really needs its own book (or books!).

What Is Stealth Firewalling with Linux?

Simply put, a stealth firewall is an Ethernet bridge with filtering capabilities. This means that it's a firewall that operates at Layer 2 of the OSI model, leveraging netfilter rules and chains (Linux's firewall system) applied to the bridge. For those not familiar with what a bridge is: an Ethernet bridge is a means of connecting two or more networks/devices at the Data Link layer. The Data Link layer is the layer of the OSI model before the Network Layer (Layer 3). Layer 3 is where things like the IP in TCP/IP come into the picture. This means that a bridge operates before we get into things like protocols, so you can apply firewalling to protocols other than IP (IPX, DECnet, SNA, etc.) and you don't have to worry about routing issues either. You're moving raw frames from one interface to another, which lets you deploy your stealth firewall without anyone being the wiser. Another advantage of a stealth firewall is that if the hardware fails or malfunctions, you can bypass it with nothing more than a network cable.

How Does a Bridge Work?

A bridge operates in promiscuous mode, grabbing all the packets it sees on its interfaces, learns which MAC addresses apply to which interfaces, and moves packets between those interfaces. One example of a bridge that many are familiar with is the humble network switch, wherein all the interfaces on a switch comprise one bridge. With Linux, when you create a bridge you are combining two or more interfaces into one bridge. For instance, we'll create a bridge, br0, that is made up of two interfaces, eth0 and eth1. Think of br0 as a set that contains two elements, eth0 and eth1. When the two interfaces are added to the bridge, the kernel will then move packets back and forth automatically between those two interfaces as if they were both part of the same physical network.

A Brief Explanation of Netfilter
Netfilter, if you're not familiar with it, is Linux's packet filtering system introduced in the 2.4 kernel and continued into 2.6. The netfilter system is manipulated by the userspace tool, iptables, and can also be manipulated by other tools. We only point this out because iptables is sometimes thought to be the only mechanism for controlling the kernel's filtering capabilities, but it's not.

Thanks to the flexibility of the netfilter subsystem and the way it handles packets, we can use it to apply firewall rules to network traffic, even if the device is not operating at the IP layer. The subsystem doesn't actually care; it can apply firewall rules to whatever traffic passes through it. To help explain this, Figure 1 shows which netfilter rules are applied to the bridge interface, and the order in which they are applied for traffic flowing from eth0 to eth1 over the bridge.

What This Means in Practical Terms

You can put a firewall in place without anyone knowing it's there or making any IP topology changes. For example, at the California Community Colocation Project (www.communitycolo.net), we used a bridging/stealth firewall to filter out worm traffic entering and exiting the network. This was done in such a way that there was no interruption for the users of the network, no need to change the routing tables or to even muck about with IP issues, and it required only some basic physical wiring changes. The use of a stealthy firewall such as this leads to all sorts of interesting alternative applications outside of just basic firewalling, such as stealth proxies, traffic-shaping devices, anti-spam/virus filtering, and stealth IDS/IPS systems. The key advantage for the firewall administrator is that you can deploy a fairly paranoid firewall setup without having to make any changes to your network, and failing over, as previously mentioned, is as simple as plugging in a patch cable.

How Do I Set One Up?

We're using Fedora Core 3 for our demonstration environment, but the following should apply to nearly any modern Linux distribution running a 2.6 kernel. You can also do this with a 2.4 kernel, but for brevity's sake we're going to stick with the screaming edge. It's more fun that way. First, we need to make sure our kernels support both bridging and Layer 2 filtering in netfilter. If you're running FC3 with the default kernel, you can skip this next bit; this is for those of you running custom 2.6 kernels or other distributions that don't include this functionality by default. To enable bridging and Layer 2 filtering, you'll need to make sure the following settings are configured in your kernel to support ebtables.

Device Drivers
  Networking Support
    Networking Options --->
      <M> 802.1d Ethernet Bridging
      [*] Network packet filtering (replaces ipchains)  --->
        [*]   Bridged IP/ARP packets filtering
        Bridge: Netfilter Configuration  --->
          <M> Ethernet Bridge tables (ebtables) support
            <M>   ebt: broute table support (NEW)
            <M>   ebt: filter table support (NEW)
            <M>   ebt: nat table support (NEW)
            <M>   ebt: 802.3 filter support (NEW)
            <M>   ebt: among filter support (NEW)
            <M>   ebt: ARP filter support (NEW)
            <M>   ebt: IP filter support (NEW)
            <M>   ebt: limit match support (NEW)
            <M>   ebt: mark filter support (NEW)
            <M>   ebt: packet type filter support (NEW)
            <M>   ebt: STP filter support (NEW)
            <M>   ebt: 802.1Q VLAN filter support (NEW)
            <M>   ebt: arp reply target support (NEW)
            <M>   ebt: dnat target support (NEW)
            <M>   ebt: mark target support (NEW)
            <M>   ebt: redirect target support (NEW)
            <M>   ebt: snat target support (NEW)
            <M>   ebt: log support (NEW)

You may also need to install ebtables for your distribution. The userspace ebtables utility and 2.4 kernel patches are available at http://sf.net/projects/ebtables and from our Web site - www.gotroot.com.

Next we need to set up our firewall, in this case it's named Minimoose (kudos to those of you who get this reference), to bridge traffic between our network,, and our gateway, The goal is to put Minimoose between the network and the gateway device. We start this process by first configuring Minimoose's interfaces to act as a bridge. This is accomplished by using the userspace tool, brctl, to set up the bridged interfaces and to "capture" them. In this hypothetical example, Minimoose has two interfaces. One is pointing at the gateway router, which has an IP address and is reached via ethernet interface eth0. Minimoose's other interface, eth1, is facing the actual network. Remember, the bridge does not need any IP addresses. It's going to "bridge" the traffic between these two points, allowing traffic to move from the network to the gateway router,, and vice versa as defined by the firewall rules on Minimoose. The first step, as already explained, is to set up the interfaces on Minimoose and to configure it as a bridge:

1.  Create the logical interface in the kernel, which is called br0.

[[email protected] root]# brctl addbr br0

2.  Add the left interface, eth0, that connects to the gateway.

[[email protected] root]# brctl addif br0 eth0

3.  Add the right interface, eth1, that connects to the network.

[[email protected] root]# brctl addif br0 eth1

4.  Activate the bridged interfaces by bringing up the two real interfaces.

[[email protected] root]# ifconfig eth0 promisc up
[[email protected] root]# ifconfig eth1 promisc up

At this point your bridge is working.

As you have probably surmised, Minimoose doesn't even have an IP address for itself. Although it's probably a good idea to add an IP address to one of those interfaces for management reasons, you don't have to in most instances. For example, you could just as easily connect this device to a serial console, or add another interface and run an "Out of Band" network just for admining your stealth firewall, or something like that if you're über paranoid.

Figure 2 shows our network, 24, before we put our firewall in place.

Now we put our firewall, Minimoose, in place as shown in Figure 3.

With traffic passing from to the gateway through Minimoose, it's time to do something interesting with the firewall. Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the network. These rules also allow traffic to move in both directions, not just from the network outward, but also from the gateway back into the network. This listing will help illustrate the stealthy nature of this configuration; neither the hosts on the 10.10.10/24 network nor the gateway will "see" any changes in the network, except that SMB traffic is not flowing between the two.

In the previous example you can see that applying firewall rules to Layer 3 (IP) traffic works exactly the same as it does with a normal firewall, that is we need to apply those rules to the FORWARD table, and of course make sure you enable ip_forwarding on our firewall for this example to work:

echo 1 > /proc/sys/net/ipv4/ip_forward

Another application of a stealth firewall would be to act as a transparent proxy server. We frequently add squid to our firewalls for performance reasons and this next example shows how to configure the squid Web proxy cache server for your stealth firewall. The good news is that setting this up is easy; the bad news is that it requires adding an IP address to the stealth firewall and, because of this, your firewall will not be as stealthy as you might like, as Web requests will be seen as if they were coming from the bridge's IP address and, of course, your bridge will now have an IP address. Keep in mind, this doesn't mean that other traffic will appear to come from the bridge's IP address or that you need to change any default routes on your network. The stealth firewall will just be seen as another node on your network, not as a router. The steps to set this up are:

1.  Install squid and configure squid.conf to allow connections from localhost. This is typically the default configuration for squid. The steps to do this are beyond the scope of this article, but if you are having problems, please visit our Web site for documentation: www.gotroot.com.

2.  Add an IP address to your bridge interface, if you haven't already done so. In the commands that follow, replace the variable $MANAGEMENTIP with the IP address you intend to assign to your bridge, and the $MANAGEMENTGATEWAY variable with the gateway address for your network.

ifconfig br0 $MANAGEMENTIP
route add default gw $MANAGEMENTGATEWAY

3.  Finally, add the following two rules to your firewall:

iptables -A INPUT -i <internal interface on bridge, such as eth1> -p tcp -d $MANAGEMENTIP -s --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t nat -A PREROUTING -i <internal interface on bridge, such as eth1> -s -p
tcp --dport 80 -j REDIRECT --to-port 3128

Your stealth firewall is now configured to grab all the port 80 traffic coming from our hypothetical stealth firewall's internal network, Redirect it to squid, and then allow squid to request and cache the documents. Again, all Web requests will now come from the bridge's IP address.

Hopefully this brief introduction to stealth firewalls has encouraged you to think up your own ways to use them in your environment. Stealth firewalls are a fantastic and reliable tool for any network or security administrator. They're easy to set up, can be more secure than classic IP firewalls, and because they require no routing and don't have to be integrated into the network's routing scheme, they are actually less of a risk to a network, from a point-of-failure perspective, than a traditional IP firewall.

As we already mentioned, if the stealth firewall fails, just run a patch cable around it. Of course, this eliminates your firewall and we don't want that. The good news is that there's an easy solution to that problem as well, and it allows you to create a fully automatic failover between two or more stealth firewalls. The better news is that this is already built into Linux and is very robust, but that discussion is for another time.

More Stories By Michael Shinn

Michael is the Managing Partner for the Prometheus Group
(http://www.progllc.com), an Information Technology Services and Products firm specializing in securing and managing IT for their government and commercial customers. Previous to founding the Prometheus Group, he co-founded Plesk, Inc. which makes server management software designed to simplify the full range of user and
administrator management and configuration tasks. Michael also worked for Cisco Systems, the Wheelgroup Corporation and The White House.

More Stories By Scott R. Shinn

Scott Shinn co-founded Plesk, a server management firm. He was formerly a senior network security engineer specializing in penetration testing for Fortune 50 clients at Wheelgroup, a firm later acquired by Cisco.

Comments (6) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Michael Shinn 03/16/05 03:00:05 PM EST

Not sure why the left Figure one out, but here it is from the source link:

Listing 1



# shut down our Ethernet devices
$IFCONFIG eth0 down
$IFCONFIG eth1 down

# bring the Ethernet devices back up with no IP addresses
$IFCONFIG eth0 up
$IFCONFIG eth1 up

# create our bridge device, and add our Ethernet devices
$BRCTL addbr br0
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1

# add an IP address to the bridge device, this is for management purposes only

# now for our firewall rules

# note that when bridging these rules are applied against
# the FORWARD chain

#Allow already established connections and related packets to be forwarded

#Stealthly drop SMB traffic - this is just an example of a protocol you could

$IPTABLES -A FORWARD -p all -sport 135 -j DROP
$IPTABLES -A FORWARD -p all -dport 135 -j DROP
$IPTABLES -A FORWARD -p all -sport 137 -j DROP
$IPTABLES -A FORWARD -p all -dport 137 -j DROP
$IPTABLES -A FORWARD -p all -sport 138 -j DROP
$IPTABLES -A FORWARD -p all -dport 138 -j DROP
$IPTABLES -A FORWARD -p all -sport 139 -j DROP
$IPTABLES -A FORWARD -p all -dport 139 -j DROP

#Allow all other traffic out from the network
$IPTABLES -A FORWARD -i eth1 -o eth0 -s -m state -state NEW -j ACCEPT

#Allow traffic in to the networking
$IPTABLES -A FORWARD -i eth0 -o eth1 -d -m state -state NEW -j ACCEPT

vs 03/06/05 07:40:56 AM EST

stealth firewall articles are written in may web sites, but
failover stealth-firewall isn't written, like this !

Eric 03/04/05 11:59:03 AM EST

To John: I see no link "Source" at the bottom of the article at either this site (linuxworld.com) nor at gootroot's web site. Would you mind pasting the link into your reply?

baggy 03/01/05 10:18:54 AM EST

I wish more people knew about this stuff. It really gets on my nerves when people think nat is more secure than IP6 becaue you can do inbound routing properly with IP6.

This article shows that you can still have the equivalent of your NAT box in an IP6 environment, only it's vastly more secure because the firewall box doesn't have an IP address at all and therefore cannot be targetted.

John 02/24/05 09:44:37 PM EST

To Eric, I found the example script, Listing 1, at the link "Source" at the bottom of the article (online).

Eric 02/20/05 05:52:17 PM EST

Where is:
"Listing 1 provides a simple example script that sets up the firewall rules and configures them to stealthily drop all SMB traffic moving between the gateway and the hosts on the network."

Where is Listing 1?????????????????????????

What sucks is that I purchased a copy of the magazine, then found this article on-line with the same freakin error!

@ThingsExpo Stories
The Internet of Things (IoT), in all its myriad manifestations, has great potential. Much of that potential comes from the evolving data management and analytic (DMA) technologies and processes that allow us to gain insight from all of the IoT data that can be generated and gathered. This potential may never be met as those data sets are tied to specific industry verticals and single markets, with no clear way to use IoT data and sensor analytics to fulfill the hype being given the IoT today.
Ask someone to architect an Internet of Things (IoT) solution and you are guaranteed to see a reference to the cloud. This would lead you to believe that IoT requires the cloud to exist. However, there are many IoT use cases where the cloud is not feasible or desirable. In his session at @ThingsExpo, Dave McCarthy, Director of Products at Bsquare Corporation, will discuss the strategies that exist to extend intelligence directly to IoT devices and sensors, freeing them from the constraints of ...
SYS-CON Events announced today that SoftNet Solutions will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. SoftNet Solutions specializes in Enterprise Solutions for Hadoop and Big Data. It offers customers the most open, robust, and value-conscious portfolio of solutions, services, and tools for the shortest route to success with Big Data. The unique differentiator is the ability to architect and ...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, will demonstrate how to move beyond today's coding paradigm ...
Fifty billion connected devices and still no winning protocols standards. HTTP, WebSockets, MQTT, and CoAP seem to be leading in the IoT protocol race at the moment but many more protocols are getting introduced on a regular basis. Each protocol has its pros and cons depending on the nature of the communications. Does there really need to be only one protocol to rule them all? Of course not. In his session at @ThingsExpo, Chris Matthieu, co-founder and CTO of Octoblu, walk you through how Oct...
A completely new computing platform is on the horizon. They’re called Microservers by some, ARM Servers by others, and sometimes even ARM-based Servers. No matter what you call them, Microservers will have a huge impact on the data center and on server computing in general. Although few people are familiar with Microservers today, their impact will be felt very soon. This is a new category of computing platform that is available today and is predicted to have triple-digit growth rates for some ...
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, will discuss why and how ReadyTalk diverted from healthy revenue an...
In past @ThingsExpo presentations, Joseph di Paolantonio has explored how various Internet of Things (IoT) and data management and analytics (DMA) solution spaces will come together as sensor analytics ecosystems. This year, in his session at @ThingsExpo, Joseph di Paolantonio from DataArchon, will be adding the numerous Transportation areas, from autonomous vehicles to “Uber for containers.” While IoT data in any one area of Transportation will have a huge impact in that area, combining sensor...
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
Established in 1998, Calsoft is a leading software product engineering Services Company specializing in Storage, Networking, Virtualization and Cloud business verticals. Calsoft provides End-to-End Product Development, Quality Assurance Sustenance, Solution Engineering and Professional Services expertise to assist customers in achieving their product development and business goals. The company's deep domain knowledge of Storage, Virtualization, Networking and Cloud verticals helps in delivering ...
SYS-CON Events announced today that Enzu will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their online busine...
November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for the implementation of encryption technology to sensitive data fields without modification to schema in the database environment. With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued ...
In the next five to ten years, millions, if not billions of things will become smarter. This smartness goes beyond connected things in our homes like the fridge, thermostat and fancy lighting, and into heavily regulated industries including aerospace, pharmaceutical/medical devices and energy. “Smartness” will embed itself within individual products that are part of our daily lives. We will engage with smart products - learning from them, informing them, and communicating with them. Smart produc...
OnProcess Technology has announced it will be a featured speaker at @ThingsExpo, taking place November 1 - 3, 2016, in Santa Clara, California. Dan Gettens, OnProcess’ Chief Analytics Officer, will discuss how Internet of Things (IoT) data can be leveraged to predict product failures, improve uptime and slash costly inventory stock. @ThingsExpo is an annual gathering of IoT and cloud developers, practitioners and thought-leaders who exchange ideas and insights on topics ranging from Big Data in...
SYS-CON Events announced today that Cloudbric, a leading website security provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Cloudbric is an elite full service website protection solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Sys...
SYS-CON Events announced today that Transparent Cloud Computing (T-Cloud) Consortium will exhibit at the 19th International Cloud Expo®, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. The Transparent Cloud Computing Consortium (T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data proces...
SYS-CON Events announced today that Roundee / LinearHub will exhibit at the WebRTC Summit at @ThingsExpo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. LinearHub provides Roundee Service, a smart platform for enterprise video conferencing with enhanced features such as automatic recording and transcription service. Slack users can integrate Roundee to their team via Slack’s App Directory, and '/roundee' command lets your video conference ...
Successful digital transformation requires new organizational competencies and capabilities. Research tells us that the biggest impediment to successful transformation is human; consequently, the biggest enabler is a properly skilled and empowered workforce. In the digital age, new individual and collective competencies are required. In his session at 19th Cloud Expo, Bob Newhouse, CEO and founder of Agilitiv, will draw together recent research and lessons learned from emerging and established ...
SYS-CON Events announced today that Coalfire will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Coalfire is the trusted leader in cybersecurity risk management and compliance services. Coalfire integrates advisory and technical assessments and recommendations to the corporate directors, executives, boards, and IT organizations for global brands and organizations in the technology, cloud, health...
As ridesharing competitors and enhanced services increase, notable changes are occurring in the transportation model. Despite the cost-effective means and flexibility of ridesharing, both drivers and users will need to be aware of the connected environment and how it will impact the ridesharing experience. In his session at @ThingsExpo, Timothy Evavold, Executive Director Automotive at Covisint, will discuss key challenges and solutions to powering a ride sharing and/or multimodal model in the a...