Security - Training |
When all of the software is loaded and you are logged in as root you
can setup the bridge. The command brctl is the basic bridge command that
sets up the software. First create the bridge ( brctl addbr br0), then
add the two network cards to the bridge (brctl addif br0 eth0 brctl
addif br0 eth1), then add the network configuration to the bridge
(ifconfig br0 192.168.7.119 netmask 255.255.255.0 up), add the defautl
gateway (route add default gw 192.168.7.2 dev br0), setup both nics in
promisc mode (ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0
promisch up) and turn off the Spanning Tree Protocol ( brctl stp br0
off). Lesson 6 / Lesson 8 Be sure to forward traffic: echo “1” > /proc/sys/net/ipv4/ip_forward brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 192.168.7.119 netmask 255.255.255.0 up route add default gw 192.168.7.2 dev br0 ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl stp br0 off If you have one router, you do not need to worry about Spanning Tree Protocol, avoiding a loop. When there are multiple connections between switches loops can occur on the network. Loops are when a frame goes around and around on the network, decreasing your bandwidth. To stop network loops the STP (Spanning Tree Protocol) is used. The Spanning Tree Protocol (STP) is created so that only one path exists between any pair of LAN segments. It was developed to prevent routing loops in network. Loops can happen when there is more than one route to a destination. Bridges by default are not capable of handling more than one route to a destination address. STP is used on a bridge, it is either placed into a forwarding state or a blocking state. Forwarding are considered part of the spanning tree while those in the blocking state are not. This example shows the bridge br0 is setup with two network cards. The bridge has an IP Address but the cards only have MAC addresses listed. br0 Link encap:Ethernet HWaddr 00:30:48:43:3F:1E inet addr:192.168.7.119 Bcast:192.168.7.255 Mask:255.255.255.0 inet6 addr: fe80::230:48ff:fe43:3f1e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:260 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:22388 (21.8 KiB) TX bytes:378 (378.0 b) eth0 Link encap:Ethernet HWaddr 00:30:48:43:3F:1E inet6 addr: fe80::230:48ff:fe43:3f1e/64 Scope:Link UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Base address:0xa000 Memory:ec000000-ec020000 eth1 Link encap:Ethernet HWaddr 00:30:48:43:3F:1F inet6 addr: fe80::230:48ff:fe43:3f1f/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:15595 errors:0 dropped:0 overruns:0 frame:0 TX packets:15 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1849948 (1.7 MiB) TX bytes:1038 (1.0 KiB) Base address:0xa400 Memory:ec020000-ec040000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1527 errors:0 dropped:0 overruns:0 frame:0 TX packets:1527 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1739024 (1.6 MiB) TX bytes:1739024 (1.6 MiB) Ebtables Script You will want to run a script when the server starts so that it will set up your bridge. This script does not do any filtering of MAC addresses but depends on the iptables firewall for control. ################################################ #!/bin/bash # Ebtables transparent firewall script /usr/sbin/brctl addbr br0 /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 /sbin/ifconfig br0 192.168.7.119 netmask 255.255.255.0 up /usr/sbin/brctl stp br0 off /sbin/route add default gw 192.168.7.2dev br0 /sbin/ifconfig eth1 0.0.0.0 promisc up /sbin/ifconfig eth2 0.0.0.0 promisc up echo "1" > /proc/sys/net/ipv4/ip_forward # DEFAULT POLICY ebtables -P INPUT DROP ebtables -P OUTPUT DROP ebtables -P FORWARD DROP # FLUSH TABLES ebtables -F FORWARD # Forward Arp and IPv4 Traffic ebtables -A FORWARD -p IPv4 -j ACCEPT ebtables -A FORWARD -p ARP -j ACCEPT ebtables -A FORWARD --log-level info --log-ip --log-prefix EBFW ############################################### One issue that you need to solve is to run startup scripts so that you do not have to run rc.ebtables and rc.firewall by hand. Make sure you have these scripts written correctly and then edit the /etc/rc.local file. This file will run after all of the initialization scripts have run so you can safely put your two scripts in this file. Look at the exmaple below and you will see that the scripts are entered with the proper path one line at a time. ################################################ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local sh /etc/rc.ebtables sh /etc/rc.firewall ################################################ Save the file then restart your server. Once it is restarted then go to the command line and type: brctl show You should see that you have an active bridge. Test The Setup In order to test the setup, use the showmacs command to see it the bridge is beginning to collect MAC addresses. In the example, the two local addresses are the MAC addresses of the bridge and you can see that it is collecting several other addresses that are not local. This tells you that the bridge is connected and passing packets. brctl showmacs br0 port no mac addr is local? ageing timer 2 00:03:76:3f:49:81 no 110.14 2 00:11:65:1c:db:8e no 40.55 1 00:40:33:e2:09:73 yes 0.00 2 00:40:23:e2:09:eb yes 0.00 |
Tuesday, January 13, 2015
Basic Setting Bridge mode
Set Up the Bridge
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment