Basic ebtables configuration
Home > CentOS > CentOS 6.x > ebtables configuration > Basic ebtables configuration
About ebtables chains and tables
ebtables contains following tables and listed chains within each table:
- filter
- INPUT
- FORWARD
- OUTPUT
- broute
- BROUTING
- OUTPUT
In 'filter' table we can write normal firewall rules. Here INPUT refers to packets with destination MAC address same as bridge's MAC address. OUTPUT refers to packets generated by bridge for Bridge routing. FORWARD packets are normal packets received via one interface and going to be forwarded via other (or all) bridge interfaces. Hence most filtering rules are written in FORWARD chain only.
In 'broute' table we do not do firewalling or filtering as such. broute table (esp. BROUTING chain) is used to indicate whether we use brouting and route the packet or whether we do normal bridging and forward the packet as per L2 destination MAC address. If we ACCEPT the packet in BROUTING chaing then packet is brouted, if we DROP the packet in brouting table the packet is still FORWARDED but it is bridged and not routed. Hence this chain / table is not used for filtering but for indicating whether brouting should be used or not.
Using ebtables to load rules from start-up file
Since ebtables supports two types of rules files 'text' and 'binary', if we just edit '/etc/sysconfig/ebtables' file it is not enough for the rules to get loaded on start-up. We also need to edit file '/etc/sysconfig/ebtables-config' and disable binary rules files. Then only ebtables loads text file rules properly.
Using ebtables to block broadcast and multicast
We can use ebtables firewall to block broadcast and / or multicast when using software bridges created using 'brctl'. To block all broadcast and multicast we can use
ebtables -I FORWARD -d Multicast -j DROP
Note:
- If we want to block just broadcast and not all multicast then we can use keyword 'Broadcast' instead of 'Multicast'.
- Since 'Multicast' is superset of 'Broadcast', we have not blocked 'Broadcast' separately in above rule.
- This would cause ARP, DHCPv4, etc. to stop working as they depend on broadcasts for their operations.
Using ebtables to prevent MAC spoofing from Xen VMs
We can use ebtables to restrict source MAC for each bridge interface and thus prevent MAC spoofing attacks via Xen VMs which use bridges to connect to normal network. Note that this can only protect against spoofing attacks, flood attacks by sending packets to non-existing destination MACs or broadcast or multicast is still possible.
Sample rules to restrict source MAC of packets from VM with Domain ID 1 are:
ebtables -A FORWARD -i vif6+ -s 00:16:36:5f:b8:8c -j ACCEPT ebtables -A FORWARD -i vif6+ -j DROP
Note:
- The rules work with Xen hypervisor as VMs use 'vif<domain_ID>.<interface_number>' type of names of interfaces while connecting to bridges. The rules may or may not work in exact same form for other hypervisors like KVM, because they use different network interface naming in comparison to Xen.
- We can also combine rule with ip module and also restrict packets to IPv4 packets with given source IP, to prevent IP spoofing as well.
Ebtables bugs
MAC Address display bug
When we use ebtables to block some MAC address range in following manner:
ebtables -I FORWARD -p ARP -d 02:00:00:00:00:00/11:11:11:11:11:00 -j ACCEPT
then sometimes when we use 'ebtables-save' command the rule may show up as:
ebtables -I FORWARD -p ARP -d 0:0:0:0:0:0/1:1:1:1:1:0 -j ACCEPT
But still the rule works perfectly. The problem is only in display of rule when using ebtables-save.
Rule counter bug
Ebtables gives lot of options and descriptions regarding counters for each rule. But whene using ebtables I have never seen ebtables output any count of count of how many times rule has been matched, even after using counter related options.
Home > CentOS > CentOS 6.x > ebtables configuration > Basic ebtables configuration