transparent firewall using iptables

[NullDevice]

well i urge every one to see the attached image first.........
well if you are done ithink i have made many things clear now.........
what i want is that the firewall i want to implement should be transparent to both router and switch...
i cant modify the settings of either router or switch becoz of certain reasons and i reaaly want to implement the firewall using iptables and linux.........
i mean what should be the rules that i am suppose to insert into iptables so that after clearing all the rules if a packet is safe to send to n fro from network...it can pass to and fro as it ia passing now........
i think i have made myself very clear...and i suppose there shouldnt be any prob regarding it

[Kardis]

What firewall are you using? A software or server firewall? What kind of router is it and what's are the prefs. Also, explaing further, just a tad. Thanks.

[NullDevice]

i have made it very clear it is to be filtering firewall using IPTABLES on linux. The router is cisco router....and the firewall is to be placed on a dedicated system

[The3ntropy]

IPtables needs to be configured very specifically to your own network. As for someone literally 'hand feeding' you the rules you must 'insert' into it, that would be tough to have it actually work without more knowledge about your LAN. As for setting up IPtables, a very, very good site is

[NullDevice]

well one thing that concerns me most is "is it possible for the system to act as transparent firewall?"....
and then the IP rules i would have to insert for eth0 and eth1.........anyhow thx for the link

[KorpDeath]

The only truly "transparent" firewall I'm aware of is Sun Microsystems SunScreen firewall. It's got to be the enterprise edition, as the version that ships with Solaris9 is the routing version only.

It may be very possible to do this with iptables but I don't know of anyone who has successfully pulled it off.

P.S. PM me if you want more info on sunscreen.

[The3ntropy]

I must be missing your idea of transparent. If it is a firewall, you are going to notice it is in place because it is applying filters to traffic, whether it be in or out-going. Saying any firewall is transparent would mean that it doesn't do anything, or am I missing something here? Do you just want it to work in between the router and switch?

Please define 'transparent' maybe we can help you out a bit more.

* * Another possibility would be to just use snort and attach it to a hub in between the router and switch, and do not allow any out going packets from that machine, that would be completely 'transparent' I would believe, but it would not necessarily stop any bad traffic, just show you what is happening, then you would have to work from there * *

[IKnowNot]

Transparent IPTABLES firewall:

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# ------Set policies for packets going through this firewall box-------- #
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Effective IPTABLES firewall:

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# ------Set policies for packets going through this firewall box-------- #
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

I think you might be looking for something in the middle.

To be any more specific you would have to let someone know what it is you want to let through, and what you want blocked ( ie. filtered ). Will you need certian ports open for ssh, webservers, ftp servers, video conferencing, irc, games, etc ??? Which is pointed toward the router, eth0 or eth1 ??? Why do you want the firewall behind the router?

It doesn't seem that clear to me.

You might start reading through
Linux netfilter Hacking HOWTO and Iptables Tutorial 1.1.19

[NullDevice]

well let make things clear..........the swtich send data to the router which acts as the gateway....the whole internal n/w is connected to the switch.........
now what i want is to place the dedicated system acting as a firewall (using IPTABLES) to put b/w the swtich and router......
the prob i cant modify configuration of either the switch or the router........
so how to handle the traffic?

now defining transparent.......

i want the swtich to send every packet to the system runnung firewall....the firewall checks if the packet is valid to send ...if it passes all the rules...the system should forward the packet to the router...but to router it should look as if the packet has come from the switch directly.......

similarly if the router is to send a packet coming from the internet to the internal network.....by the configuration in the router it will pass it on to the switch....but i am to place the firewall between switch and router so the packet should go to the firewall first instead of switch ( rem i cant modify the router config).....the firewall checks to see if it should allo the packet to go inside the network........if valid the packet is to be forwarded to the switch and to the switch it should look as if the packet has come from router itself.......

so by transparent i mean.....the firewall should be invisible to both router and switch....both should think they are ciommunicating directly each other without knowing the data comes filtered through firewall.....

i think now it should b a lot clear

thx for ever help u are putting forward

Originally posted here by IKnowNot


I think you might be looking for something in the middle.

exactly i want something in middle between router and swtich

To be any more specific you would have to let someone know what it is you want to let through, and what you want blocked ( ie. filtered ). Will you need certian ports open for ssh, webservers, ftp servers, video conferencing, irc, games, etc ??? Which is pointed toward the router, eth0 or eth1 ??? Why do you want the firewall behind the router?

i want to allow incoming HTTP,HTTPS data(port 80,443) only, from the internet...and from the internal network outgoing i would like to allow ssh,ftp,http,https

thx for the URLS .. i am already reading these and more.........

[IKnowNot]

no, you still did not make it much clearer .... but I think what you might be looking for is,

Ethernet Bridge + netfilter Howto

Read that after you've read the others, I think you'll be well on your way..