linux透明防火墙--br_netfilter

最新推荐文章于 2025-03-19 19:59:56 发布
最新推荐文章于 2025-03-19 19:59:56 发布
阅读量9.3k 收藏 17
点赞数 1
分类专栏: 网络安全 文章标签: 防火墙 桥接模式 linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/gengzhikui1992/article/details/70213298
版权

简介

透明防火墙(Transparent Firewall)又称桥接模式防火墙(Bridge Firewall)。简单来说,就是在网桥设备上加入防火墙功能。透明防火墙具有部署能力强、隐蔽性好、安全性高的优点。

br_netfilter架构

  • {Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.

  • All filtering, logging and NAT features of the 3 tools can therefore
    be used on bridged frames. Combined with ebtables, the bridge-nf code
    therefore makes Linux a very powerful transparent firewall.

  • This enables, f.e., the creation of a transparent masquerading
    machine (i.e. all local hosts think they are directly connected to
    the Internet).

  • Letting {ip,ip6,arp}tables see bridged traffic can be disabled or
    enabled using the appropriate proc entries, located in
    /proc/sys/net/bridge/:

     bridge-nf-call-arptables
 bridge-nf-call-iptables
 bridge-nf-call-ip6tables

  • Also, letting the aforementioned firewall tools see bridged 802.1Q
    VLAN and PPPoE encapsulated packets can be disabled or enabled with a
    proc entry in the same directory:

     bridge-nf-filter-vlan-tagged
 bridge-nf-filter-pppoe-tagged
 These proc entries are just regular files. Writing '1' to the file (echo 1 > file) enables the specific functionality, while writing a '0' to the file disables it.

linux iptables/netfilter通过和linux bridge功能联动,以实现透明防火墙功能。
具体地,netfilter在Bridge层的执行使用了IP的Netfilter钩子。
在linux2.6内核中,启用/proc/sys/net/bridge/bridge-nf-call-iptables。
下图展示了透明防火墙下,netfilter的报文传送流程:
这里写图片描述

br_netfilter代码流程

br_netfilter_init注册了一些HOOK

ret = nf_register_hooks(br_nf_ops, ARRAY_SIZE(br_nf_ops));

static struct nf_hook_ops br_nf_ops[] __read_mostly = {
	{
		.hook = br_nf_pre_routing,
		.owner = THIS_MODULE,
		.pf = PF_BRIDGE,
		.hooknum = NF_BR_PRE_ROUTING,
		.priority = NF_BR_PRI_BRNF,
	},
	{
		.hook = br_nf_local_in,
		.owner = THIS_MODULE,
		.pf = PF_BRIDGE,
		.hooknum = NF_BR_LOCAL_IN,
		.priority = NF_BR_PRI_BRNF,
	},
	{
		.hook = br_nf_forward_ip, 
		.owner = THIS_MODULE,
		.pf = PF_BRIDGE,
		.hooknum = NF_BR_FORWARD,
		.priority = NF_BR_PRI_BRNF - 1,
	},
	{
		.hook = br_nf_forward_arp,
		.owner = THIS_MODULE,
		.pf = PF_BRIDGE,
		.hooknum = NF_BR_FORWARD,
		.priority = NF_BR_PRI_BRNF,
	},
	{
		.hook = br_nf_post_routing,
		.owner = THIS_MODULE,
		.pf = PF_BRIDGE,
		.hooknum = NF_BR_POST_ROUTING,
		.priority = NF_BR_PRI_LAST,
	},
	{
		.hook = ip_sabotage_in,
		.owner = THIS_MODULE,
		.pf = PF_INET,
		.hooknum = NF_INET_PRE_ROUTING,
		.priority = NF_IP_PRI_FIRST,
	},
	{
		.hook = ip_sabotage_in,
		.owner = THIS_MODULE,
		.pf = PF_INET6,
		.hooknum = NF_INET_PRE_ROUTING,
		.priority = NF_IP6_PRI_FIRST,
	},
};

.hook = br_nf_forward_ip, 对应br_nf_forward_ip函数

/* This is the 'purely bridged' case.  For IP, we pass the packet to
 * netfilter with indev and outdev set to the bridge device,
 * but we are still able to filter on the 'real' indev/outdev
 * because of the physdev module. For ARP, indev and outdev are the
 * bridge ports. */
static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
				     const struct net_device *in,
				     const struct net_device *out,
				     int (*okfn)(struct sk_buff *))
{
	struct nf_bridge_info *nf_bridge;
	struct net_device *parent;
	u_int8_t pf;

	if (LDSEC_DBG_BRIDGE_ON)
		LDSEC_PRINT_FUNC("br_nf_forward_ip");

	if (!skb->nf_bridge)
		return NF_ACCEPT;

	/* Need exclusive nf_bridge_info since we might have multiple
	 * different physoutdevs. */
	if (!nf_bridge_unshare(skb))
		return NF_DROP;

	parent = bridge_parent(out);
	if (!parent)
		return NF_DROP;

	if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
	    IS_PPPOE_IP(skb))
		pf = PF_INET;
	else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
		 IS_PPPOE_IPV6(skb))
		pf = PF_INET6;
	else
		return NF_ACCEPT;

	nf_bridge_pull_encap_header(skb);

	nf_bridge = skb->nf_bridge;
	if (skb->pkt_type == PACKET_OTHERHOST) {
		skb->pkt_type = PACKET_HOST;
		nf_bridge->mask |= BRNF_PKT_TYPE;
	}

	/* The physdev module checks on this */
	nf_bridge->mask |= BRNF_BRIDGED;
	nf_bridge->physoutdev = skb->dev;
	if (pf == PF_INET)
		skb->protocol = htons(ETH_P_IP);
	else
		skb->protocol = htons(ETH_P_IPV6);

	NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
		br_nf_forward_finish);

	return NF_STOLEN;
}

br_nf_forward_ip最终调用ip层的NF_INET_FORWARD钩子

	NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
		br_nf_forward_finish);

参考:
http://blog.csdn.net/dog250/article/details/7314927
http://ebtables.netfilter.org/documentation/bridge-nf.html
http://ebtables.netfilter.org/misc/brnf-faq.html
http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html
https://www.linuxjournal.com/article/8172

Ethernet Bridge Netfilter框架及Data Path分析
weixin_45254661的博客
03-17 3588
1. Netfilter简介 ​ netfilter是由Rusty Russell提出的Linux 2.4内核防火墙框架,该框架既简洁又灵活,可实现安全策略应用中的许多功能,如数据包过滤、数据包处理、地址伪装、透明代理、动态网络地址转换(Network Address Translation,NAT),以及基于用户及媒体访问控制(Media Access Control,MAC)地...
Linux防火墙-Netfilter和iptables
flytalei的博客
07-11 765
防火墙(FireWall ) :隔离功能,工作在网络或主机边缘,对进出网络或主机的数据包基于一定的规则检查,并在匹配某规则时由规则定义的行为进行处理的一组功能的组件,基本上的实现都是默认情况下关闭所有的通过型访问,只开放允许访问的策略,会将希望外网访问的主机放在DMZ(demilitarized zone)网络中.
linux下的netfilter防火墙配置
09-04
ipt 1/7 http://www.boobooke.com/v/bbk3648 ipt 2/7 http://www.boobooke.com/v/bbk3649 ipt 3/7 http://www.boobooke.com/v/bbk3671 ipt 4/7 http://www.boobooke.com/v/bbk3679 ipt 5/7 http://www.boobooke.com/v/bbk3680 ipt 6/7 http://www.boobooke.com/v/bbk3685 ipt 7/7 http://www.boobooke.com/v/bbk3686
Linux内核Netfilter框架分析
m0_74186706的博客
03-19 1145
入站数据包先经过,路由选择后:若发往本地,进入,交付本地应用;若需转发,进入,再经发送。本地生成的出站数据包先经过,再通过发送。这些挂接点为 Netfilter 实现数据包过滤、NAT、流量控制等功能提供了核心支撑。NF_HOOK数据包在内核网络栈中传输时,会在某些地方调用NF_HOOK宏使用挂接函数。pf:协议簇,对于 IPv4 用;对于 IPv6 用。hook:表示 5 个 Netfilter 挂接点之一,如。skb。
kubernetes 集群安装加载 br_netfilter 模块
周十一的技术博客
09-07 2307
kubernetes 集群安装加载 br_netfilter 模块
自动加载br_netfilter模块
qq_37312316的博客
11-29 6001
在/etc/sysctl.conf中添加: net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 执行sysctl -p 时出现: [root@localhost ~]# sysctl -p sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or d
【博客515】k8s中为什么需要br_netfilter与net.bridge.bridge-nf-call-iptables=1
qq_43684922的博客
10-15 9842
br_netfiler作用:br_netfilter模块可以使 iptables 规则可以在 Linux Bridges 上面工作,用于将桥接的流量转发至iptables链。
Rocky Linux 9.4安装docker之br_netfilter模块没加载问题
分享运维&&开发学习成果
10-03 411
在安装docker时发现Rocky Linux不默认加载br_netfilter模块,需要自己设置开机自动加载。重启后验证是否自动加载。
#!/bin/bash echo "192.168.1.11 k8s-master01" >>/etc/hosts echo "192.168.1.12 k8s-node01" >>/etc/hosts echo "192.168.1.13 k8s-node02" >>/etc/hosts yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF yum install wget jq psmisc vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git -y systemctl disable --now firewalld setenforce 0 sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config swapoff -a && sysctl -w vm.swappiness=0 sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab yum -y install chrony systemctl enable --now chronyd chronyc tracking chronyc -a makestep ulimit -SHn 65535 echo "* soft nofile 65536" >> /etc/security/limits.conf echo "* hard nofile 131072" >> /etc/security/limits.conf echo "* soft nproc 65535" >> /etc/security/limits.conf echo "* hard nproc 655350" >> /etc/security/limits.conf echo "* soft memlock unlimited" >> /etc/security/limits.conf echo "* hard memlock unlimited" >> /etc/security/limits.conf yum install ipvsadm ipset sysstat conntrack libseccomp -y modprobe -- ip_vs && modprobe -- ip_vs_rr && modprobe -- ip_vs_wrr && modprobe -- ip_vs_sh && modprobe -- nf_conntrack cat <<EOF > /etc/modules-load.d/ipvs.conf ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp ip_vs_sh nf_conntrack ip_tables ip_set xt_set ipt_set ipt_rpfilter ipt_REJECT EOF systemctl enable --now systemd-modules-load.service cat <<EOF > /etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 fs.may_detach_mounts = 1 net.ipv4.conf.all.route_localnet = 1 vm.overcommit_memory=1 vm.panic_on_oom=0 fs.inotify.max_user_watches=89100 fs.file-max=52706963 fs.nr_open=52706963 net.netfilter.nf_conntrack_max=2310720 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl =15 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_max_orphans = 327680 net.ipv4.tcp_orphan_retries = 3 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 16384 net.core.somaxconn = 16384 EOF sysctl --system yum install docker-ce-20.10.* docker-ce-cli-20.10.* -y cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf overlay br_netfilter EOF modprobe -- overlay modprobe -- br_netfilter cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF sysctl --system mkdir -p /etc/containerd containerd config default | tee /etc/containerd/config.toml cat > /etc/crictl.yaml <<EOF runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF 这个脚本有语法错误吗
最新发布
03-29
配置containerd的模块加载,overlay和br_netfilter,然后modprobe加载。这部分正确。接着是sysctl配置,正确。 创建/etc/containerd/config.toml,使用containerd config default导出默认配置,这里是否正确?命令...
Linux-ebtables-以太网网桥防火墙
weixin_40342459的博客
10-07 6732
ebtables 和 iptables 一样,主要是做数据包过滤的配置工具, ebtables 主要工作在数据链路层, iptables主要工作IP层和第四层应用层,他们主要做配置工具,底层的数据包过滤机制还是在 netfilter 核心工作组 和iptables 一样, ebtables 也有表,链和动作的概念 ebtables 有三张表,五条链和四个动作,支持自...
Module br_netfilter not found解决办法-工业一体机(3)
AI
05-06 5051
升级内核解决br_netfilter
Linux 网桥模式下使用netfilter
白水白水的专栏
03-26 4939
工作中需要实现网桥模式下进行IP包过滤,即使用netfilter,发现Linux 内核已经支持,但默认没有打开,需要做如下改动: 1. 确保内核编译时开启 CONFIG_BRIDGE_NETFILTER 2. /proc/sys/net/bridge/bridge-nf-call-iptables 必须置为1,目前openwrt 版本默认关闭此选项导致桥接无法抓到包,需要修改/
实现透明防火墙的必备知识-Bridge Filter半景
系统运维
03-03 454
Netfilter是一个可以高度定制协议栈的优良框架,早就已经被包含于Linux内核了,关于它的设计,可以在其官方网站上找到N多可以一看的东西。被讨论最多的就是HOOK点的位置的设计(人家老外关注的核心的设计,而不是如何去实现它,以及实现了之后的源码分析),最好还是看一下这些讨论。 若想实现一个透明防火墙,那么对Netfilter几本框架的理解是少不了的,除此之外还会有一些问题,比如下面的几个问...
linux netfilter 模块,linux – 类似netfilter的内核模块,用于获取源...
weixin_42503456的博客
05-13 211
这篇文章现在有点过时了.您不理解的文本仅适用于3.11以下的内核版本.对于新内核(> = 3.11)如果您确定您的代码仅用于内核> = 3.11,则可以对输入和输出数据包使用下一个代码:udp_header = (struct udphdr *)skb_transport_header(skb);或者更优雅:udp_header = udp_hdr(skb);这是因为ip_rcv()已...
br_netfilter 模块开机自动方法
weixin_30608131的博客
05-29 3736
环境 cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) 在/etc/sysctl.conf中添加: net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 执行sysctl -p 时出现: [r...
LinuxNetfilter简介
血饮渊虹的博客
10-27 3483
1、什么是Netfilter NetfilterLinux 2.4.x引入的一个子系统,它作为一个通用的、抽象的框架,提供一整套的hook函数的管理机制,使得诸如数据包过滤、网络地址转换(NAT)和基于协议类型的连接跟踪成为了可能。 iptables是Linux下功能强大的应用层防火墙工具, 说到iptables必然提到Netfilter,iptables是应用层的,其实质是一个定义规则的配...
NetFIlter详解
weixin_33953384的博客
03-21 302
2019独角兽企业重金招聘Python工程师标准>>> ...
Linux netfilter 学习笔记 之十五 netfilter模块添加一个match
lickylin的专栏
07-24 7384
通过这段时间的学习,基本上熟悉了netfilter模块,为了进一步加深对netfilter的认识以及理解iptables与netfilter的联系,准备添加一个match模块。   在看到网关产品会有一个公网限制的功能,就想着添加一个公网数目限制的功能。   该模块实现的功能, 通过该match我们可以设置能够通过网关上网的数目,要想进行公网限制,就需要根据mac地址进行限制操作,这个模块
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值