Brctl bridge forwarding packets to promiscuous interfaces

arpbridgepromiscuous

I have two promiscuous sniffing interfaces on my linux box:
eth0 is connected to an external vlan bridge
eth1 is connected to an internal vlan bridge

with eth0 I can sniff all traffic on my "external network"
with eth1 I can sniff all traffic on my "internal network"

I then created a bridge with brctl (br0) and added both interfaces to this bridge.
Now I can sniff all packets showing up on eth1 and eth2 directly from br0 saving me having to launch two instances of snort.

My problem is that now arp and multicast packets that are showing up on eth0 are copied on to br0 and forwarded to eth1.

Is there any way to make both these interfaces copy all packets on to br0 but never allow br0 to forward any packets nor eth0 or eth1 to respond to them?

Best Answer

According to it's design, the Linux bridge acts exactly like a plain NWay Ethernet Switch. It keeps it's own ARP/MAC Address Table, and forwards packets according to this table. So Multicast and ARP, as in a plain network switch, go out to every port regardless what their origin is.

In order to prevent this behavior, you should set up a firewall, not using iptables, which takes care of Layer 3+ in OSI Model, but ebtables which takes care of Layer 2 traffic.

Assuming you are on a Debian/Debian based distro you could execute:

apt-get install ebtables

apt-get install arptables

For aditional documentation execute:

man 8 ebtables

Here is a short example of using ebtables for multicast: 

ebtables -A FORWARD -o eth0 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o eth0 --pkttype-type multicast -j DROP
ebtables -A FORWARD -o eth1 --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o eth1 --pkttype-type multicast -j DROP

As a good starting point for learnig ebtables, which actually copies iptables syntax, here is the official documentation: http://ebtables.sourceforge.net/documentation/docs.html

Related Topic