Protecting the Internet

Author: Lloyd Kvam, Venix Corp
Date: 2007-02-13



needed to isolate a compromised Windows web server while allowing it to continue to function as a web server.

that is, filter out the bad packets while allowing the good packets

do this without changing the network configuration or the router


  • what it does (state-full packet inspection)
  • how it is configured
  • how this provides a firewall (accept, reject, drop)
  • explicitly configured in network - (visible)
  • operates in a specific host or in a router


  • connecting networks at the LAN (ethernet) level
  • ethernet switches are bridges
  • forwards ethernet frames between segments


  • what it does (inspects ethernet frames)
  • also understands ip information in frames
  • how it is configured
  • also provides accept, drop
  • implicitly configured in network - (invisible)
  • copies frames between network segments


  • linux for routers
  • installing and configuring
  • (rules of engagement - not like normal linux configuration)

linksys wrt54gl

specifics of openwrt for inexpensive linux device


Lloyd Kvam

President, Venix Corp

Venix provides technical services

  • Software Development
  • System Administration
  • Network Planning, Administration and Configuration
  • Security Assistance


ISP notified friends who have a Windows server that it had been compromised. The server was directly attached to the Internet router provided by the ISP. Subsequent investigation showed they had been hit by a zero-day worm. The signature update was not released until almost a week after they had been hit.

The ISP was not prepared to block ports on the local router. My friends were desperate to keep their server on-line. They had no alternative computer ready to deploy . They did have a Linksys WRT54GL purchased for home use.

I volunteered to configure the WRT54GL to block all malicious traffic.

How hard could it be?

IPTables Background

Provides state-full packet inspection

Configured to accept, reject, drop packets

Organized into Tables based on packet processing stage

raw mangle nat filter

Chains of rules in each table

Firewall uses filter table and INPUT nad FORWARD chains

Configuring iptables

iptables --list --verbose

My laptop iptables

iptables --list --verbose:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
4736K  298M RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere
Chain OUTPUT (policy ACCEPT 9371K packets, 14G bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
44603   12M ACCEPT     all  --  lo     any     anywhere             anywhere
4685K  282M ACCEPT     all  --  any    any       anywhere
    7   728 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
    0     0 ACCEPT     esp  --  any    any     anywhere             anywhere
    0     0 ACCEPT     ah   --  any    any     anywhere             anywhere
   52 20225 ACCEPT     udp  --  any    any     anywhere            udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:tftp
 6158 4847K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpts:6881:iatp-normalpri flags:SYN,RST,ACK/SYN
   95 24690 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

iptables [-t table] -[AD] chain rule-specification [options]

-A is append rule -D is delete rule (either the matching rule or by number (1,2,...) -P is policy when no rule matches filter is the default table chains INPUT, FORWARD, OUTPUT firewall rules usually go in the INPUT and FORWARD chains Do this by specifying firewall chain as target in bot


writes current rules to stdout


default source of rules in fedora core 6 distribution I edit file to add comments and save changes service iptables restart

Using IP Tables

must be configured into the network. You can not simply add an additional router to a network without changing configurations

Bridging Background

Wrt54gl diagram


Sample Bridge (from wrt54gl)

bridge-utils package provides bridging support
brctl is command for configuring a Linux bridge
(ethernet ports must already be configured)
brctl addbr br0
brctl addif br0 vlan0
brctl addif br0 eth1

root@OpenWrt:/etc# brctl show:

bridge name     bridge id               STP enabled     interfaces
br0             8000.001217122699       yes             vlan0
STP is Spanning Tree Protocol
normal ethernet rules require network tree structure
nodes on a tree have unique paths
prevents creation of duplicated frames
STP detects extra paths and disables those ports

EB Tables Background

ebtables summary

Protection Strategy

My protective ebtables config

ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 23, policy: ACCEPT
-p IPv4 -s 0:aa:aa:aa:aa:aa -i vlan2 --ip-proto tcp --ip-dport 80 -j ACCEPT
-p IPv4 -s 0:aa:aa:aa:aa:aa -i vlan2 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -s 0:bb:bb:bb:bb:bb -i vlan2 --ip-proto tcp --ip-dport 80 -j ACCEPT
-p IPv4 -s 0:bb:bb:bb:bb:bb -i vlan2 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -d 0:aa:aa:aa:aa:aa -i vlan0 --ip-proto tcp --ip-sport 80 -j ACCEPT
-p IPv4 -d 0:aa:aa:aa:aa:aa -i vlan0 --ip-proto udp --ip-sport 53 -j ACCEPT
-p IPv4 -d 0:bb:bb:bb:bb:bb -i vlan0 --ip-proto tcp --ip-sport 80 -j ACCEPT
-p IPv4 -d 0:bb:bb:bb:bb:bb -i vlan0 --ip-proto udp --ip-sport 53 -j ACCEPT
-s 0:aa:aa:aa:aa:aa -i vlan2 -j DROP
-s 0:bb:bb:bb:bb:bb -i vlan2 -j DROP
-d 0:bb:bb:bb:bb:bb -i vlan0 -j DROP
-d 0:aa:aa:aa:aa:aa -i vlan0 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT


Excellent documentation
primary source for this presentation

wrt54GL notes

wrt54GL features

configuring openwrt

What I did to block all other traffic

This is not guaranteed complete, but should be close:

nvram set vlan2ports="3 4 5"
nvram set vlan0ports="1 2 5*"
nvram set vlan2hwname=et0
# vlan0 was started by ifup lan
# so I created an interface named man
# (simply stepping down alphabet)
nvram set man_ifname=vlan2
nvram set man_proto=static

# added man to /etc/init.d/S40network
      ifup wan
+     ifup man
      ifup wifi

# the ebtables modules were not loaded (insmod) by default
# added them to /etc/modules.d/40-ipt-nat-extra
# (Perhaps I should have created a nerw file)
# cat 40-ipt-nat-extra

added ebtables filter rules (shown above) to /etc/firewall.user

nvram commit

basic network configuration NVRAM variables:

NVRAM           Description
<name>_ifname   The name of the linux interface the settings apply to
<name>_ifnames  Devices to be added to the bridge (only if the above is a bridge)
<name>_proto    The protocol which will be used to configure an IP
                static: Manual configuration (see below)
                dhcp: Perform a DHCP request
                pppoe: Create a ppp tunnel
<name>_ipaddr   ip address (x.x.x.x)
<name>_netmask  netmask (x.x.x.x)
<name>_gateway  Default Gateway (x.x.x.x)
<name>_dns      DNS server (x.x.x.x)
<name>_hostname hostname requested with dhcp
<name>_hwaddr   MAC address (aa:bb:cc:dd:ee:ff)
                if you want to use a different MAC from the ROM

The command ifup <name> will configure the interface defined by
<name>_ifname according to the above variables.

The only <name> with any significance is wan, used by the
/etc/init.d/S45firewall script.  The firewall script will NAT traffic
through the wan_ifname, blocking connections to wan_ifname.