linux透明防火墙--br

简介

透明防火墙(Transparent Firewall)又称桥接模式防火墙（Bridge Firewall）。简单来说，就是在网桥设备上加入防火墙功能。透明防火墙具有部署能力强、隐蔽性好、安全性高的优点。

br_netfilter架构

{Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.
All filtering, logging and NAT features of the 3 tools can therefore
be used on bridged frames. Combined with ebtables, the bridge-nf code
therefore makes Linux a very powerful transparent firewall.
This enables, f.e., the creation of a transparent masquerading
machine (i.e. all local hosts think they are directly connected to
the Internet).
Letting {ip,ip6,arp}tables see bridged traffic can be disabled or
enabled using the appropriate proc entries, located in
/proc/sys/net/bridge/:
```
 bridge-nf-call-arptablesbridge-nf-call-iptablesbridge-nf-call-ip6tables
```

Also, letting the aforementioned firewall tools see bridged 802.1Q
VLAN and PPPoE encapsulated packets can be disabled or enabled with a
proc entry in the same directory:

 bridge-nf-filter-vlan-taggedbridge-nf-filter-pppoe-taggedThese proc entries are just regular files. Writing '1' to the file (echo 1 > file) enables the specific functionality, while writing a '0' to the file disables it.

linux iptables/netfilter通过和linux bridge功能联动，以实现透明防火墙功能。
具体地，netfilter在Bridge层的执行使用了IP的Netfilter钩子。
在linux2.6内核中，启用/proc/sys/net/bridge/bridge-nf-call-iptables。
下图展示了透明防火墙下，netfilter的报文传送流程：

br_netfilter代码流程

br_netfilter_init注册了一些HOOK

ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));

static struct nf_hook_ops br_nf_ops[] __read_mostly = {{.hook = br_nf_pre_routing,.owner = THIS_MODULE,.pf = PF_BRIDGE,.hooknum = NF_BR_PRE_ROUTING,.priority = NF_BR_PRI_BRNF,},{.hook = br_nf_local_in,.owner = THIS_MODULE,.pf = PF_BRIDGE,.hooknum = NF_BR_LOCAL_IN,.priority = NF_BR_PRI_BRNF,},{.hook = br_nf_forward_ip, .owner = THIS_MODULE,.pf = PF_BRIDGE,.hooknum = NF_BR_FORWARD,.priority = NF_BR_PRI_BRNF - 1,},{.hook = br_nf_forward_arp,.owner = THIS_MODULE,.pf = PF_BRIDGE,.hooknum = NF_BR_FORWARD,.priority = NF_BR_PRI_BRNF,},{.hook = br_nf_post_routing,.owner = THIS_MODULE,.pf = PF_BRIDGE,.hooknum = NF_BR_POST_ROUTING,.priority = NF_BR_PRI_LAST,},{.hook = ip_sabotage_in,.owner = THIS_MODULE,.pf = PF_INET,.hooknum = NF_INET_PRE_ROUTING,.priority = NF_IP_PRI_FIRST,},{.hook = ip_sabotage_in,.owner = THIS_MODULE,.pf = PF_INET6,.hooknum = NF_INET_PRE_ROUTING,.priority = NF_IP6_PRI_FIRST,},
};

.hook = br_nf_forward_ip, 对应br_nf_forward_ip函数

/* This is the 'purely bridged' case.  For IP, we pass the packet to* netfilter with indev and outdev set to the bridge device,* but we are still able to filter on the 'real' indev/outdev* because of the physdev module. For ARP, indev and outdev are the* bridge ports. */
static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,const struct net_device *in,const struct net_device *out,int (*okfn)(struct sk_buff *))
{struct nf_bridge_info *nf_bridge;struct net_device *parent;u_int8_t pf;if (LDSEC_DBG_BRIDGE_ON)LDSEC_PRINT_FUNC("br_nf_forward_ip");if (!skb->nf_bridge)return NF_ACCEPT;/* Need exclusive nf_bridge_info since we might have multiple* different physoutdevs. */if (!nf_bridge_unshare(skb))return NF_DROP;parent = bridge_parent(out);if (!parent)return NF_DROP;if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||IS_PPPOE_IP(skb))pf = PF_INET;else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||IS_PPPOE_IPV6(skb))pf = PF_INET6;elsereturn NF_ACCEPT;nf_bridge_pull_encap_header(skb);nf_bridge = skb->nf_bridge;if (skb->pkt_type == PACKET_OTHERHOST) {skb->pkt_type = PACKET_HOST;nf_bridge->mask |= BRNF_PKT_TYPE;}/* The physdev module checks on this */nf_bridge->mask |= BRNF_BRIDGED;nf_bridge->physoutdev = skb->dev;if (pf == PF_INET)skb->protocol = htons(ETH_P_IP);elseskb->protocol = htons(ETH_P_IPV6);NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,br_nf_forward_finish);return NF_STOLEN;
}

br_nf_forward_ip最终调用ip层的NF_INET_FORWARD钩子

 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,br_nf_forward_finish);

参考：
http://blog.csdn.net/dog250/article/details/7314927
http://ebtables.netfilter.org/documentation/bridge-nf.html
http://ebtables.netfilter.org/misc/brnf-faq.html
http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
https://www.linuxjournal.com/article/8172

linux透明防火墙--br_netfilter相关推荐

linux 网桥防火墙,linux透明防火墙(网桥形式).doc
linux透明防火墙(网桥形式).doc 还剩 9页未读, 继续阅读下载文档到电脑,马上远离加班熬夜! 亲,喜欢就下载吧,价低环保! 内容要点: 又如,对于 ftp 连接可以使用下面的连接跟踪:(1 ...
手把手配置Linux透明防火墙
发布时间:2004.11.12 09:31 来源:赛迪网作者:田逸一般而言,防火墙的两个网络接口应分属两个不同的网络,根据系统管理员定义的访问规则在两个接口之间转发数据包,或者拒绝. ...
linux透明防火墙接入fte 300 网络的问题
linux防火墙接入fte 300网络,在非网关模式下,造成网络上的两台霍尼服务器无法相互发现,一拿掉防火墙,5分钟交换机更新mac之后,两台机器正常发现,起初通过修改ipv6,或者不启动防火墙,单 ...
透明网关与透明防火墙
在honeyproject项目中的hoenywall里面有一个透明的网关,后来我们叫做蜜网网关,然后这个网关上面配置了iptables防火墙,这样我们也叫做透明防火墙.透明顾名思义是看不见,没有存在感 ...
linux下防火墙iptables用法规则详解
linux下防火墙iptables用法规则详解分享者: du52.com 邮件: wangaibo168@163.com 主页: http://www.du52.com linux下防火墙iptab ...
LRP架构Linux路由器/防火墙
LRP架构Linux路由器/防火墙发布时间:2006.07.31 15:37 来源:linux联盟作者: 在基于TCP/IP协议的网络结构中,路由器/防火墙的重要性不言而喻.作为 ...
linux路由器转发效率,如何使用Intel 10 Gbe解决Linux路由器/防火墙转发性能问题？...
我们有一个 Linux防火墙,带有两个面向外部的10Gbe适配器(Intel 82599EB)和一个面向内部的10Gbe适配器(Intel 82598EB). 我遇到的问题是防火墙只会以非常低的速率转 ...
linux关闭防火墙stop,linux如何关闭防火墙
我的linux不想开启防火墙了,想要关闭,该怎么办呢?下面由学习啦小编给你做出详细的linux关闭防火墙方法介绍!希望对你有帮助! linux关闭防火墙方法一: 重启后生效开启: chkconfig ...
Linux iptables防火墙设置与NAT服务配置
Linux iptables防火墙设置与NAT服务配置 - 摘要: linux教程,NAT服务器,iptables防火墙设置与NAT服务配置, 防火墙是指设置在不同网络或网络安全域之间的一系列部件的组 ...

linux透明防火墙--br_netfilter

简介

br_netfilter架构

br_netfilter代码流程

linux透明防火墙--br_netfilter相关推荐

最新文章

热门文章