In general, the two network interfaces of a firewall should belong to two different networks, forwarding packets between two interfaces according to the access rules defined by the system administrator, or rejecting or discarding packets. In fact, firewalls are not just a function of access control, but they also act as the role of routers. Of course, this is not an inappropriate place, but when you try to put your configured firewall into the network to protect the existing system, you have to reconsider and change your network architecture. Another possible trouble is that when there is a firewall accident, if there is no hardware backup of the firewall, then you will face great psychological pressure, because the firewall failure, the entire network is paralyzed. If you configure the firewall into transparent mode (can be called pseudo-bridge), there is no need to change the network architecture, even if the firewall does not work, to do is only to unplug the network cable, the LAN cable directly into the router's internal interface can let the net work, and then you have time to slowly recover the failure of the firewall.
In order to achieve efficient firewall and network detection, the system CPU must be strong and fast enough. The system requires three network cards, of which two network cards support the implementation of the bridge, the other one for the management of the firewall. (At least 2 network cards, you can configure the management IP on the bridge device).
*/
#!/bin/bash
# by Kerryhu
# qq:263205768
# mail:king_819@163.com
# blog:http://kerry.blog.51cto.com
#要让Linux实现网桥功能除了编译支持网桥的内核之外 (802.1d Ethernet bridging), also requires application support, this software is bridge-utils
Cd/opt
wget http://ncu.dl.sourceforge.net/project/bridge/bridge/bridge-utils-1.4/bridge-utils-1.4.tar.gz
Tar zxvf bridge-utils-1.4.tar.gz
CD bridge-utils-1.4
./configure--PREFIX=/USR
Make;make Install #brctl该命令的帮助
#1. To create a bridge device:
Brctl ADDBR Br0
#2. Add Nic Eth0 and eth1 to Br0
Brctl addif eth0
Brctl addif eth1
#3. Remove the NIC eth0 and eth1 from the Network Bridge
Brctl Delif eth0
Brctl Delif eth1
#4. Delete Bridge Br0
Brctl DELBR Br0
#网关:
172.16.16.254
#Web服务器 (80, 443)
172.16.16.172
#ftp服务器 (21, 20)
172.16.16.173
#MySQL服务器 (3306)
172.16.16.174
#配置网桥接口
Ifconfig br0 172.16.16.171 netmask 255.255.255.0 broadcast 172.16.16.255
#配置防火墙策略
# Create The interface br0
/usr/sbin/brctl ADDBR Br0
# ADD The Ethernet interface to use with the bridge
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
# Start up the Ethernet interface
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
# Configure The bridge Ethernet
/sbin/ifconfig br0 172.16.16.171 netmask 255.255.252.0 broadcast 172.16.16.255
# I has added this internal IP to create my NAT
# ip addr Add 192.168.0.1/24 dev br0
/sbin/route Add default GW 172.16.16.254
Iptables-f FORWARD
Iptables-p FORWARD DROP
Iptables-a forward-s 0.0.0.0/0.0.0.0-d 0.0.0.0/0.0.0.0-m State--state invalid-j DROP
Iptables-a forward-m State--state established,related-j ACCEPT
# Limit ICMP
Iptables-a forward-p icmp-m limit--limit 4/s-j ACCEPT
# Match String, a good simple method to block some VIRUS very quickly
#iptables-I forward-j drop-p tcp-s 0.0.0.0/0-M string--string "cmd.exe"
# allow the 222.11.22.33 connection MySQL server
Iptables-a forward-p tcp-s 222.11.22.33-d 172.16.16.174--dport 3306-j ACCEPT
# Allow HTTP (connections) with the WWW server
Iptables-a forward-p tcp-s 0.0.0.0/0-D 172.16.16.172--dport 80-j ACCEPT
# Allow HTTPS (443) connections with the WWW server
Iptables-a forward-p tcp-s 0.0.0.0/0-D 172.16.16.172--dport 443-j ACCEPT
# allow the WWW server to go out
Iptables-a forward-s 172.16.16.172-d 0/0-j ACCEPT
# FTP Server Rules
Iptables-a forward-p tcp-s 0/0-D 172.16.16.173--dport 21-j ACCEPT
Iptables-a forward-p tcp-s 0/0-D 172.16.16.173--dport 20-j ACCEPT
# allow the NTP server to go out
Iptables-a forward-s 172.16.16.173-d 0/0-j ACCEPT
#关于内核2.6,2.6 's kernel has been bridge-nf by default, I have tested it on 2.6.12, and any release that uses the 2.6 kernel should support BRIDGE-NF
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.