Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:bridge [2023/09/17 15:47] – [Command-line instructions] vgaeteradocs:guide-user:firewall:fw3_configurations:bridge [2023/10/14 05:41] – use service invocation vgaetera
Line 8: Line 8:
  
 ===== Goals ===== ===== Goals =====
-  * Filter and intercept transit traffic between bridged interfaces.+  * Filter and intercept transit traffic on bridged interfaces.
  
 ===== Command-line instructions ===== ===== Command-line instructions =====
 +Assuming a setup with bridged LAN and WAN interfaces.
 Install the required packages. Install the required packages.
-Enable bridge firewall intercepting DNS queries.+Enable bridge firewall intercepting DNS queries and filtering transit traffic from ''eth0'' to ''eth1''.
  
 <code bash> <code bash>
Line 25: Line 26:
 network_find_wan NET_IF network_find_wan NET_IF
 network_get_device NET_DEV "${NET_IF}" network_get_device NET_DEV "${NET_IF}"
-NET_MAC="$(ip link show dev "${NET_DEV}" +NET_MAC="$(ubus -S call network.device status \ 
-awk -e '/\slink\/ether\s/{print $2}')"+"{'name':'${NET_DEV}'}" | jsonfilter -e "$['macaddr']")"
 nft add table bridge filter nft add table bridge filter
 nft flush table bridge filter nft flush table bridge filter
 +nft add chain bridge filter prerouting \
 +{ type filter hook prerouting priority dstnat\; }
 +nft add rule bridge filter prerouting meta \
 +l4proto { tcp, udp } th dport 53 pkttype set host \
 +ether daddr set "${NET_MAC}" comment "Intercept-DNS"
 nft add chain bridge filter forward \ nft add chain bridge filter forward \
-{ type filter hook prerouting priority 0\; } +{ type filter hook forward priority filter\; } 
-nft add rule bridge filter forward tcp dport 53 \ +nft add rule bridge filter forward iifname "eth0" \ 
-meta pkttype set host ether daddr set "${NET_MAC}" +oifname "eth1" drop comment "Deny-eth0-eth1"
-nft add rule bridge filter forward udp dport 53 +
-meta pkttype set host ether daddr set "${NET_MAC}"+
 EOF EOF
 uci -q delete firewall.bridge uci -q delete firewall.bridge
Line 40: Line 44:
 uci set firewall.bridge.path="/etc/nftables.d/bridge.sh" uci set firewall.bridge.path="/etc/nftables.d/bridge.sh"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
 +
 +Set up [[docs:guide-user:firewall:fw3_configurations:intercept_dns|DNS hijacking]] and [[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]].
  
 ===== Testing ===== ===== Testing =====
-Use [[man>ping(8)|ping]], [[man>ping6(8)|ping6]] or [[man>nmap(1)|nmap]] between LAN clients to verify your firewall configuration.+Use [[man>nslookup(1)|nslookup]], [[man>ping(1)|ping]][[man>ping6(1)|ping6]] on LAN clients to verify the firewall configuration.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 51: Line 57:
 <code bash> <code bash>
 # Log and status # Log and status
-/etc/init.d/firewall restart+service firewall restart
  
 # Runtime configuration # Runtime configuration
 lsmod | grep -e bridge lsmod | grep -e bridge
-nft list table bridge filter+nft list ruleset
  
 # Persistent configuration # Persistent configuration
 uci show firewall uci show firewall
 </code> </code>
 +
 +===== Extras =====
 +==== References ====
 +  * [[https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering|nftables wiki: Bridge filtering]]
 +  * [[https://netdevconf.info//1.1/proceedings/papers/Bridge-filter-with-nftables.pdf|NetDev: Bridge filtering with nftables]]
  
  • Last modified: 2024/11/01 16:42
  • by vgaetera