Ebtables Firewall (Layer 2 & 3)

Basic network firewall with Ebtables. It acts in layers 2 and 3.

In an internal network, what transits most are frames or packages, so the importance of Ebtables.

Install (Debian ad derivatives)

#apt-get install ebtables

#cd /root

#touch ebtables.sh

#chmod 550 ebtables.sh

 #vim ebtables.sh

#!/bin/sh
#Ebtables firewall Layer 2 & 3
EBT="/sbin/ebtables"
#Clean Rules
$EBT -F
$EBT -t nat -F
#Paths
MACETH0="`cat /sys/class/net/eth0/address`"
MACWLAN0="`cat /sys/class/net/wlan0/address`"
#For VMs or Docker Containers
MACLAST="`ifconfig -a | grep -Po 'HWaddr \K.*$' - | tail -1`"
MACPENULT="`ifconfig -a | grep -Po 'HWaddr \K.*$' - | tail -2 | head -n 1`"
#Lans
LAN1="192.168.1.0/24"
LAN2="172.17.0.0/16"
LAN3="172.16.1.0/24"
WLAN="10.10.10.0/26"
#Filter Rules
$EBT -A INPUT -p IPv4 --ip-src $LAN1 -d $MACETH0 -j ACCEPT
$EBT -A INPUT -p IPv4 --ip-src $LAN2 -d $MACPENULT -j ACCEPT
$EBT -A INPUT -p IPv4 --ip-src $LAN3 -d $MACLAST -j ACCEPT
$EBT -A INPUT -p IPv4 --ip-src $WLAN -d $MACWLAN0 -j ACCEPT
$EBT -A INPUT -p ARP --arp-htype 1 --arp-opcode 1 -j ACCEPT             #arp request
$EBT -A INPUT -p ARP --arp-htype 1 --arp-opcode 2 -j ACCEPT             #atp reply
#NAT Rules
$EBT -t nat -A POSTROUTING -o eth0 -j snat --to-src $MACETH0 --snat-arp --snat-target ACCEPT
$EBT -t nat -A POSTROUTING -o wlan0 -j snat --to-src $MACWLAN0 --snat-arp --snat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $LAN1 -j dnat --to-dst $MACETH0 --dnat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $WLAN -j dnat --to-dst $MACWLAN0 --dnat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $LAN2 -j dnat --to-dst $MACPENULT --dnat-target ACCEPT
$EBT -t nat -A PREROUTING -p ARP --arp-ip-src $LAN3 -j dnat --to-dst $MACLAST --dnat-target ACCEPT
echo "*Ebtables Firewall Upstart*"






Examples of random networks

Change to real addresses

View all mac addresses:
 
# ifconfig -a | grep -Po 'HWaddr \K.*$'

#arp -a

#ip neighbor show