Home

Create a MAC filtering bridge

A network, to which any computer can connect and be configured for network access, represents a significant security risk. This document shows how to implement a Layer-2 bridge that can deny access to unregistered machines. If a DHCP network is behind the bridge, the machine can even be prevented from acquiring an IP address.

As an OSI Layer 2 bridge, the device is transparent to conventional network probes and TCP/IP traffic.

Note, however, that this bridge approach has one weakness: machines configured with static IP addresses can access other machines on the unsecured side of the bridge.

Getting Started

· Review http://ebtables.sourceforge.net/

· When installing a current version on SuSe, be aware that the installed configuration and startup scripts will not work with SuSe 9.x or 10.x series. The proper RPM's from SuSe are usually a few releases behind.

· By default, bridge networking is available, but install the userspace tools, brctl. Ebtables-restore cannot properly read in the default rule for any chain from the output of ebtables-save.

For example, ebtables-save produces:

: INPUT DROP

Ebtables-restore expects:

-P INPUT DROP

The important line above is ignored.

· Do not trust ebtables-save


Operation

The following files are utilized to configure a machine for network access:

~/RAD_MACS/ Base directory

~/RAD_MACS/ebtables File of mac addresses created by ~/RAD_MACS/generate.sh

~/RAD_MACS/deploy.sh Runs generate.sh and deploys the file /etc/sysconfig/ebtables; the file used to configure the ebtables service

Step One

Edit the ebtables file

Add the 12-digit MAC address of the machine you want to have access to the network

Provide a descriptive machine address

Step Two

Execute the deploy.sh script

This will parse the configure file and copy the deployed file to its final destination

Execute: /etc/init.d/ebtables

Restart to reload

Step Three

To determine if your fix was applied, execute the following:

ebtables -L | gray MyMAC

where MyMAC is a unique fragment of the MAC address you added

Notes

· Use the “Tab” button to indent. For example:

MAC <TAB TAB>#machine name<TAB> #description

· Parser ignores everything after the first # encountered when finding MAC address

· Comment lines should start with #

· Etables strips leading zeros, making the letters lowercase, for example:

00:01:FE:E4:d0 becomes 0:1:fe:e4:d0


Files

deploy.sh

Deployment of new MAC addresses when added to RAD_MAC.txt so they are used on reboot. Deploys updated file to /etc/sysconfig/ebtables. indicates CRLF

#!/bin/bash

#Generates and deploys the file

OUTPUT_FILE=ebtables

echo ./generate.sh

./generate.sh

echo cp $OUTPUT_FILE /etc/sysconfig/$OUTPUT_FILE

cp $OUTPUT_FILE /etc/sysconfig/$OUTPUT_FILE

echo Done.

echo Run: ebtables -F FORWARD \&\& ebtables-restore \< $OUTPUT_FILE

echo OR

echo /etc/init.d/ebtables restart

icfg-eth1.txt

Reference config file for network adapter, found in /etc/sysconfig/network. indicates CRLF

BOOTPROTO='static'

BROADCAST=''

IPADDR='0.0.0.0'

NETMASK='255.255.255.0'

PROMISC=''

NETWORK=''

STARTMODE='auto'

etables

File generated by generate.sh. Put this into /etc/sysconfig/ so the system reads it on application startup. indicates CRLF

*filter

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A FORWARD --among-src 0:90:27:1E:DB:B8, 0:14:A9:CB:50:FF, 0:0D:60:36:19:81, 0:04:0:03:C4:4C, 0:11:2F:92:90:34, 0:11:D8:1B:B2:68, 0:B0:D0:E7:46:21, 0:14:22:7A:C6:66, 0:09:3D:10:03:50, 0:14:22:DC:B0:F2, 0:03:64:0:09:63, 0:11:25:43:D5:57, 0:0D:60:FB:11:0E, 0:11:25:86:A7:53, 0:11:25:CE:E0:15, 0:03:47:74:81:1C, 0:0D:60:FA:1E:0B, 0:03:0D:12:EA:E8, 0:0:F0:A0:B8:5A, 0:0A:E4:53:81:DD, 0:11:11:44:C4:29, 0:12:3F:7B:96:92, 0:11:11:44:CD:46, 0:07:E9:7D:F9:50, 0:06:29:04:7F:73, 0:11:11:44:CA:B9, 0:0C:F1:82:CF:44, 0:11:11:45:35:5D, 0:11:11:EA:85:22, 0:11:11:EA:83:64, 0:07:E9:46:3A:55, 0:11:11:EA:85:90, 0:12:3F:78:0F:BD, 0:07:E9:7D:F5:F9, 0:03:47:F6:73:CB, 0:11:11:44:C3:50, 0:13:20:02:95:9F, 0:12:3F:29:DB:FA, 0:0E:0C:64:CC:F8, 0:09:6B:CE:3E:30, 0:12:3F:24:80:88, 0:12:3F:77:2F:F4, 0:12:3F:78:0F:D3, 0:09:6B:CE:44:18, 0:12:3F:77:72:19, 0:12:3F:79:B1:FA, 0:12:3F:79:F7:8E, 0:0C:F1:A4:DC:4E, 0:12:3F:7B:85:15, 0:12:3F:7B:96:5A, 0:12:3F:7B:96:10, 0:04:0:CC:24:DD, 0:04:0:D3:94:85, 0:11:25:46:98:94, 0:11:25:12:F6:13, -j ACCEPT

-A FORWARD --log-level notice --log-prefix "ALIEN_INVADERS" -j CONTINUE

generate.sh

Script that loads RAD_MACS.txt, parsing out the MAC addresses and generating an ebtables file that can be loaded using ebtables-restore < ebtables. indicates CRLF

#!/bin/bash

#Creates the ebtables file using the MAC addresses in extra file.

#Remember, ebtable-save does NOT produce valid input. Default chain

#settings are ACCEPT, and ebtables-save doesn't save DROP.

RAD_FILE=RAD_MACS.txt

OUTPUT_FILE=ebtables

function getMacs(){

#ebtables-restore Segfaults if it sees too many 00s.

#Convert to 00 to 0 - double zero to zero.

sed s/[' ''\t']//g $RAD_FILE | sed s/#.*//g |sed /^$/d | sed -e :a -e '$!N;s/[\r\n]/,/;ta' -e 'P;D'| sed s/,,*/,/g |sed s/^,//g|sed s/00/0/g |sed s/,$//g |tr -d '\012'

#perl -pne 'chomp' also wipes out last \n

}

 

echo -n '*filter

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

' > $OUTPUT_FILE

 

echo -n '-A FORWARD --among-src ' >> $OUTPUT_FILE

 

getMacs >> $OUTPUT_FILE

 

echo -n ', -j ACCEPT ' >> $OUTPUT_FILE

 

#Newline at the end of file needed.

echo '

-A FORWARD --log-level notice --log-prefix "ALIEN_INVADERS" -j CONTINUE' >> $OUTPUT_FILE

boot.local

Locate boot.local in /etc/init.d/boot.local. Execute boot.local before runlevel and after all other configuration files.

boot.local sets up the bridge and the cards making the bridge when not using OS's config files.

#! /bin/sh

#

#Copyright (c) 2002 SuSE Linux AG Nuernberg, Germany .

#All rights reserved.

#

#Author: Werner Fink <werner@suse.de>, 1996.

#Burchard Steinbild, 1996.

#

/etc/init.d/boot.local

#

#Execute script with local commands from init on system startup.

#

#Add things here, that should happen directly after booting

#before going to the first run level.

#

#Do the Bridge Networking stuff.

#

#Create bridge device.

/sbin/brctl addbr br0

#

#Add eth1 to the bridge. All devices added are omni-directional.

/sbin/brctl addif br0 eth1

#

#Add eth2 to the bridge.

/sbin/brctl addif br0 eth2

#

#Configure bridge an IP on the network using the bridge.

#The same IP assigned to your computer.

/sbin/ifconfig br0 192.168.10.135

#

#Execute route line.

#Causes eth0 or non bridge adapters to misbehave.

/sbin/route add default gw 192.168.10.1

#

#End of the Bridge Networking stuff.

Note

· The ethernet bridge requires a non-zero address. In the RAD internal environment, this address is set to 192.168.10.84; the reasons remain unclear.

Bridge Networking with MAC Filtering

Set up the network cards composing the bridge with:

· IP address 0.0.0.0

· Promiscuous mode

· Use ifconfig eth1 0.0.0.0 promisc up or alter the configuration files of the network adapter in /etc/sysconfig/network/

· See deploy.sh above

About RAD

RAD International Ltd provides strategic consulting and product design and development services. Our services use information technology to achieve competitive advantage.

RAD has specific and recent experience in:

· Market analysis and strategy creation.

· Technology planning that understands the market’s strategic technology directions.

· Application design, implementation and management of high-performance, high-availability distributed system.

· Enterprise application integration including repacking services to support SOA

· Creation of networking monitoring and management systems to support the creation of informational dashboards.
© 2007 RAD International Ltd. | Privacy Policy | Terms of Use | Site Map