This post originated from an RSS feed registered with Java Buzz by Alan Williamson. Original Post: Linux Bridge/Firewall with Proxy ARP Feed Title: Technical @ alan.blog-city.com Feed URL: http://www.ibm.com/us/en/ Feed Description: (Technical) the rants of a java developer trapped in the body of a java developer! Latest Java Buzz Posts Latest Java Buzz Posts by Alan Williamson Latest Posts From Technical @ alan.blog-city.com

However, I wanted to move to iptables which brings a much tighter firewall setup and can also manage state information allowing you to spot and stop Denial-of-Service attacks. At first I was hoping to employ the services of IPCop which is a Linux distribution you install that is specifically for firewalls and accessing the Internet. Its a perfect setup for home users with minimal fuss. I use it myself at home with no problems. IPCop is effectively a web front end to iptables and all the administration that goes with it; no black magic just a series of iptables commands.

The problem with this solution is that it assumes your local network is NAT. Routing between two networks (or 2 network cards) is quite easy and works straight out of the box on most distributions. However in our case, we aren't routing between two networks; its one network.

We own part of a ClassC network address and host a variety of servers here in our offices. The firewall should sit transparently between the Internet and our local network. In this setup you aren't routing packets, but bridging packets. This is a big difference and while it doesn't effect the majority of the iptables rules, it does effect how you setup your kernel routing table.

The key to the system is enabling the feature of the Linux kernel called Proxy-ARP. The 'how-to' documents I found on this, explained that you had to recompile your kernel to enable it. Good news is that Redhat9 has it enabled by default, which speeds things up dramatically.

Let's put some details here. Assume your eth0 is connected to your Internet router with eth1 connected to the internal network. You setup both interfaces with the exact same information; IP address, netmask and gateway. Seems a little strange, but think what you are trying to do. You are manually creating a moat around your local network and creating a draw-bridge between the two. You don't want either side to know you exist. Proxy ARP enables this bridging by caching ARP requests from either side of the moat. You enable this using:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

Notice we are also enabling ip forwarding, which tells the kernel to route packets from one card to the other. This allows us to install the firewall and use iptables to filter the packets transversing from one card to the other.

Next you have to reset some of the details of your kernel routing table. If you run; 'ip route' you will see the current setup. Chances are the default gateway is setup to the wrong interface. You can correct this by first removing it and then resetting it (where $GATEWAY is the IP address of your gateway aka Internet router and $NETWORK is the network address).

route del default gw $GATEWAY

ip route del $NETWORK dev eth0
ip route del $NETWORK dev eth1
ip route add $GATEWAY dev eth0
ip route add $NETWORK dev eth1

route add default gw $GATEWAY eth0

This now sets up your routing table properly. All your machines inside your network should still have their gateway set to $GATEWAY and should be able to ping both it and the outside world.

Setting up iptables from here on in is as all the other resources on the net explain. You have three basic policies; INPUT, OUTPUT and FORWARD. INPUT is for traffic coming to the firewall machine, OUTPUT is for packets leaving the firewall machine, and FORWARD is for packets destined for outside and are merely passing through. It is this rule you apply the majority of your iptables rules to.

The machine has now been installed and is working beautifully. I have also installed the web-proxy Squid which acts as a transparent web proxy to all the clients internally. This has the benefit of speeding up web access and allowing all our traffic to originate from one IP address. The transparent aspect allows us to do this without changing any of the client browsers. The less hassle you do with clients the better!

For more information check out: http://www.sjdjweis.com/linux/proxyarp/ which is a good resource to start with and where pretty much my installation was based from.