transparent firewall using iptables
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: transparent firewall using iptables

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    transparent firewall using iptables

    well i urge every one to see the attached image first.........
    well if you are done ithink i have made many things clear now.........
    what i want is that the firewall i want to implement should be transparent to both router and switch...
    i cant modify the settings of either router or switch becoz of certain reasons and i reaaly want to implement the firewall using iptables and linux.........
    i mean what should be the rules that i am suppose to insert into iptables so that after clearing all the rules if a packet is safe to send to n fro from network...it can pass to and fro as it ia passing now........
    i think i have made myself very clear...and i suppose there shouldnt be any prob regarding it
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    Junior Member
    Join Date
    Jul 2003
    Posts
    14
    What firewall are you using? A software or server firewall? What kind of router is it and what's are the prefs. Also, explaing further, just a tad. Thanks.
    Loki

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    472
    i have made it very clear it is to be filtering firewall using IPTABLES on linux. The router is cisco router....and the firewall is to be placed on a dedicated system
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  4. #4
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    IPtables needs to be configured very specifically to your own network. As for someone literally 'hand feeding' you the rules you must 'insert' into it, that would be tough to have it actually work without more knowledge about your LAN. As for setting up IPtables, a very, very good site is

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    472
    well one thing that concerns me most is "is it possible for the system to act as transparent firewall?"....
    and then the IP rules i would have to insert for eth0 and eth1.........anyhow thx for the link
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  6. #6
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    The only truly "transparent" firewall I'm aware of is Sun Microsystems SunScreen firewall. It's got to be the enterprise edition, as the version that ships with Solaris9 is the routing version only.

    It may be very possible to do this with iptables but I don't know of anyone who has successfully pulled it off.

    P.S. PM me if you want more info on sunscreen.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  7. #7
    Senior Member
    Join Date
    Mar 2002
    Posts
    442
    I must be missing your idea of transparent. If it is a firewall, you are going to notice it is in place because it is applying filters to traffic, whether it be in or out-going. Saying any firewall is transparent would mean that it doesn't do anything, or am I missing something here? Do you just want it to work in between the router and switch?

    Please define 'transparent' maybe we can help you out a bit more.

    * * Another possibility would be to just use snort and attach it to a hub in between the router and switch, and do not allow any out going packets from that machine, that would be completely 'transparent' I would believe, but it would not necessarily stop any bad traffic, just show you what is happening, then you would have to work from there * *

  8. #8
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Transparent IPTABLES firewall:

    iptables -F
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

    # ------Set policies for packets going through this firewall box-------- #
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    Effective IPTABLES firewall:

    iptables -F
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

    # ------Set policies for packets going through this firewall box-------- #
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    I think you might be looking for something in the middle.

    To be any more specific you would have to let someone know what it is you want to let through, and what you want blocked ( ie. filtered ). Will you need certian ports open for ssh, webservers, ftp servers, video conferencing, irc, games, etc ??? Which is pointed toward the router, eth0 or eth1 ??? Why do you want the firewall behind the router?

    It doesn't seem that clear to me.

    You might start reading through
    Linux netfilter Hacking HOWTO and Iptables Tutorial 1.1.19
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    472
    well let make things clear..........the swtich send data to the router which acts as the gateway....the whole internal n/w is connected to the switch.........
    now what i want is to place the dedicated system acting as a firewall (using IPTABLES) to put b/w the swtich and router......
    the prob i cant modify configuration of either the switch or the router........
    so how to handle the traffic?

    now defining transparent.......

    i want the swtich to send every packet to the system runnung firewall....the firewall checks if the packet is valid to send ...if it passes all the rules...the system should forward the packet to the router...but to router it should look as if the packet has come from the switch directly.......

    similarly if the router is to send a packet coming from the internet to the internal network.....by the configuration in the router it will pass it on to the switch....but i am to place the firewall between switch and router so the packet should go to the firewall first instead of switch ( rem i cant modify the router config).....the firewall checks to see if it should allo the packet to go inside the network........if valid the packet is to be forwarded to the switch and to the switch it should look as if the packet has come from router itself.......

    so by transparent i mean.....the firewall should be invisible to both router and switch....both should think they are ciommunicating directly each other without knowing the data comes filtered through firewall.....

    i think now it should b a lot clear

    thx for ever help u are putting forward

    Originally posted here by IKnowNot


    I think you might be looking for something in the middle.
    exactly i want something in middle between router and swtich

    To be any more specific you would have to let someone know what it is you want to let through, and what you want blocked ( ie. filtered ). Will you need certian ports open for ssh, webservers, ftp servers, video conferencing, irc, games, etc ??? Which is pointed toward the router, eth0 or eth1 ??? Why do you want the firewall behind the router?
    i want to allow incoming HTTP,HTTPS data(port 80,443) only, from the internet...and from the internal network outgoing i would like to allow ssh,ftp,http,https

    thx for the URLS .. i am already reading these and more.........
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  10. #10
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    no, you still did not make it much clearer .... but I think what you might be looking for is,

    Ethernet Bridge + netfilter Howto

    Read that after you've read the others, I think you'll be well on your way..
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •