Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:bridge [2022/10/26 06:41] – fw3>fw4 vgaeteradocs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera
Line 1: Line 1:
 ====== Bridge firewall ====== ====== Bridge firewall ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 8: Line 8:
  
 ===== Goals ===== ===== Goals =====
-  * Filter traffic between bridged interfaces.+  * Filter and intercept transit traffic on bridged interfaces.
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
 +Assuming a setup with bridged LAN and WAN interfaces.
 Install the required packages. Install the required packages.
-Enable bridge firewall.+Enable bridge firewall intercepting DNS queries and filtering transit traffic from ''eth0'' to ''eth1''.
  
 <code bash> <code bash>
Line 18: Line 19:
 opkg update opkg update
 opkg install kmod-nft-bridge opkg install kmod-nft-bridge
 +
 +# Configure firewall
 +cat << "EOF" > /etc/nftables.d/bridge.sh
 +. /lib/functions/network.sh
 +network_flush_cache
 +network_find_wan NET_IF
 +network_get_device NET_DEV "${NET_IF}"
 +NET_MAC="$(ubus -S call network.device status \
 +"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")"
 +nft add table bridge filter
 +nft flush table bridge filter
 +nft add chain bridge filter prerouting \
 +{ type filter hook prerouting priority dstnat\; }
 +nft add rule bridge filter prerouting meta \
 +l4proto { tcp, udp } th dport 53 pkttype set host \
 +ether daddr set "${NET_MAC}" comment "Intercept-DNS"
 +nft add chain bridge filter forward \
 +{ type filter hook forward priority filter\; }
 +nft add rule bridge filter forward iifname "eth0" \
 +oifname "eth1" drop comment "Deny-eth0-eth1"
 +EOF
 +uci -q delete firewall.bridge
 +uci set firewall.bridge="include"
 +uci set firewall.bridge.path="/etc/nftables.d/bridge.sh"
 +uci commit firewall
 +service firewall restart
 </code> </code>
 +
 +Set up [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] and [[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]].
  
 ===== Testing ===== ===== Testing =====
-Use [[man>ping(8)|ping]], [[man>ping6(8)|ping6]] or [[man>nmap(1)|nmap]] between LAN clients to verify your firewall configuration.+Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]][[man>ping6(1)|ping6]] on LAN clients to verify the firewall configuration.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 28: Line 57:
 <code bash> <code bash>
 # Log and status # Log and status
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
-iptables-save -c; ip6tables-save -c; nft list ruleset 
 lsmod | grep -e bridge lsmod | grep -e bridge
 +nft list ruleset
  
 # Persistent configuration # Persistent configuration
Line 39: Line 68:
  
 ===== Extras ===== ===== Extras =====
-==== Restrict forwarding ==== +==== References ==== 
-Restrict traffic forwarding between bridged interfaces. +  [[https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering|nftables wiki: Bridge filtering]] 
- +  * [[https://netdevconf.info//1.1/proceedings/papers/Bridge-filter-with-nftables.pdf|NetDev: Bridge filtering with nftables]]
-<code bash> +
-# Disable LAN to LAN forwarding +
-uci rename firewall.@zone[0]="lan" +
-uci set firewall.lan.forward="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-</code> +
- +
-==== Selective forwarding ==== +
-Selective traffic forwarding between bridged interfaces. +
- +
-<code bash> +
-# Install packages +
-opkg update +
-opkg install kmod-nft-netdev +
- +
-# Deny LAN1 to LAN2 forwarding +
-uci -q delete firewall.lan1_lan2 +
-uci set firewall.lan1_lan2="rule" +
-uci set firewall.lan1_lan2.name="Deny-LAN1-LAN2" +
-uci set firewall.lan1_lan2.src="lan" +
-uci set firewall.lan1_lan2.dest="lan" +
-uci set firewall.lan1_lan2.extra="-m physdev --physdev-in lan1 --physdev-out lan2" +
-uci set firewall.lan1_lan2.proto="all" +
-uci set firewall.lan1_lan2.target="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
-</code>+
  
  • Last modified: 2024/11/01 16:42
  • by vgaetera