Linux Transparent Bridge + Firewall

I was called in to help secure a network in pinch. This called for some quick action, with very little resources. No time to purchase a firewall, or drastically redesign the network. We needed something now.

The clients network had their printers, desktops, servers, SANS, and switches all on one subnet, publicly accessible to the internet, with no hardware firewall. Hackers were exploiting NTP bugs, trying default accounts and passwords, and trying to brute force their way into everything. Without having a complete understanding of the infrastructure, and what renumbering and redesigning the entire network might impact, I decided to implement a quick fix while a firewall was ordered and careful redesign steps could be planned for.

This quick fix was to create a transparent bridge and move all the vulnerable devices onto a private VLAN, while allowing the transparent bridge to firewall and secure all of these devices.

First, I had to reclaim an old Dell R310 server. Nobody knows the BIOS passwords for any of the servers, so after a quick BIOS password clear and reboot, I installed Ubuntu 12.04LTS using basic settings, and updates. After consulting with my Cisco experts, we configured two ports:

interface gi 1/0/1
switchport mode access
switchport access vlan 24

interface gi 1/0/2
switchport mode access
switchport access vlan25

On the server I setup bridge networking by installing bridge-utils

apt-get install bridge-utils

and adding these lines to /etc/network/interfaces

auto br-vlan25
iface br-vlan25 inet dhcp
bridge_ports eth0 eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
up /sbin/ifconfig $IFACE up || /sbin/true

When I brought up the interfaces the bridge started forwarding Spanning Tree Protocol (STP) packets, and the switch immediately killed one of the interfaces to prevent a loop.

My solution was to install the ebtables package

sudo apt-get install ebtables

And add the following rules

ebtables -P INPUT DROP
ebtables -P FORWARD DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p arp -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p arp -j ACCEPT
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p arp -j ACCEPT

And then modify /etc/default/ebtables so that all the “no” settings were “yes”, that way the rules would preserve on reboot or interface reset

I now had a functioning bridge, but no firewall, so I added these rules to iptables to only allow locally sourced traffic through

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables  -I FORWARD -s X.Y.Z.o/24 -j ACCEPT
iptables -I FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

And then installed the iptables-persistent package to save iptables rules across reboots and interface resets

apt-get install iptables-persistent

The next step was to look at all the switch ports, identify all the devices that needed to be secured, and move them to the new private vlan.

show int status

find all the vulernable device ports

conf t
int gi 1/0/X
switchport access vlan 25

Then I went to the vCenter and looked at all the guests that needed to be secured, including the esxi hosts themselves, and changed them to the new private vlan.

Now an NMAP scan from on site has access to their equipment, and an NMAP scan from offsite shows just a collection of desktops, printers, and public facing servers. No more free access to esxi hosts, equallogic storage, video cameras, environmental sensors, etc…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s