Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm a student at the Universtiy of Illinois, and the place that I live was recently hit really hard by the variety of Windows worms that propagated here and elsewhere. I thought about this for a while and realized that a decent firewall should have stopped this, except, OOPS, the ISP was never contracted to perform and connection monitoring / filtering, and it was a "detail" of the network installation that was simply overlooked. (I went downstairs to find a piece of cat5e plugged straight from the demarc to the switches...the horror)
Anyway I've been with the community for a few years now, and I have decided that I should make it my project to learn the essentials of Linux system administration.
I scraped up some spare hardware we had and managed to put together a 433Mhz celeron box w/80MB of RAM. I threw a stage1 gentoo install onto it, and a few days later, had a working system.
I then proceeded to implement a bridge, because that would be the most transparent option in terms of the ISP and the reconfiguration overhead. This was supposed to be a packet-filtering bridge. I then learned that kernel patch was needed to make the bridge code support iptables filtering, so I got the patch - but this required a downgrade from kernel 2.4.22 to 2.4.19.
As yet, I haven't been able to find a patch that will make the latest stable kernel able to perform bridge packet filtering. I want to run the latest kernel because that's the one gentoo comes with, and having gentoo's emerge functionality to keep track of all the necessary updates, let me tell you, is a beautiful thing.
So, in summary, I am wondering what kernel I should run to create the bridge/firewall setup I want to create, and how to get it. In case anybody was wondering, this machine will serve 100 clients with an aggregate bandwidth of 10Mbps (average utilization ~ %5) to the provider.
Truthfully, I'm not sure I would even need to patch 2.4.19 because the only things running on the box are ssh, and the firewall - and I think that most exploits require shell access to the machine - but just in case I need to provide shell access, how can I secure this at the kernel level? Any help would be appreciated. Sorry about the length.
However, I still am wondering how I can keep the kernel patched with the mainline 2.6.0 source tree. Does anyone know if the author of ebtables intends to keep the patch functional with the newer kernels, or if ebtables is slated for integration with the main kernel sources anytime soon?
Might as well answer my own question since inevitably someone will find this post:
You don't need a patch in the 2.4.22 or better kernels, HOWEVER, it is necessary to disable "Fast network address translation" in the kernel configuration - this option tells the kernel to short-circuit certain types of packets past the iptables framework. This reduces the latency, but kills all filtering/inspection of packets that take this "fast track", including all bridge traffic.
Another interesting tool I was able to find was "ebtables" - sort of like an iptables, but it works more on layer 2 protocols - such as ip, ipx, etc...do check it out if you need this sort of filtering
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.