Instance resolution: Linux system transparent firewall settings

Article Title: instance resolution: Linux system transparent firewall settings. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Sometimes, we don't want to change the original network environment to regularly manage network security. At this time, we can use transparent firewalls. At this time, we will use the bridge module, of course it belongs to the second layer.

Lab environment:

Server -- firewall -- client

Server ip address: 192.168.1.100

Client ip address: 192.168.1.200

Firewall ip address: 192.168.1.1

Requirements:

Only the server can transmit the lecture files to the client through the network neighbors (this process is unidirectional ), the server and client can use icmp echo request to determine the connection between each other (this process is bidirectional)

Steps:

1. Bind a network card to form a bridge interface)

Firewall requires at least two NICs and binds them. firewall can be a bridge. First, you need to install the bridge-utils and bridge-utils-devel components, these two components bind eth0 and eth1 to a bridge device, which meets our requirements. My environment is a false setting of rhcl 4.4. These two components are available on the CD.

# Rpm-ivh bridge-util-×

Then, bind eth0 and eth1 to the bri0 interface.

# Ifconfig eth0 0.0.0.0

# Ifconfig eth1 0.0.0.0

# Brctl addbr bri0

# Brctl addif bri0 eth0

# Brctl addif bri1 eth1

Use brctl show to confirm:

# Brctl show

Birdge name bridge id STP enable interface

Bri0 8000.000da-305b3 no eth0

Eth1

Problem

Now that bri0 interface has been set up, do you want to write an IP address to it? The answer is yes,

With the IP address, we can achieve remote control. There are two ways to set up, one is manual writing, and the other is obtained through the dhcp server.

Manual writing:

# Ifconfig bri0 192.168.1.1 netmask 255.255.255.0 up

Dhcp client

# Dhclient bri0

The above code can be used to write a shell script, which is automatically executed at startup. I use rhel 4.4 and put it in/etc/rc. local.

2. Set the firewall forwarding function

# Vi/etc/openccl. conf

# Controls ip packet forwarding

Net. ipv4.ip _ forwarding = 1

# Sysctl-p

You can test whether the current network connection between the server and the client is xing.

3. Set policies

As for the strategy, it is playing iptables. I will not talk about the basic part. I believe everyone understands it better than me, because today is a day of rest, and handwriting is sour.

Enter the topic:

For security, set forward default policy to drop to allow only smb protocol and icmp ech0 request

# Iptables-P FORWARD DROP

At this time, the server and client must be disconnected at present.

Set to allow n Packets to pass through:

# Iptables-a forward-m state-state RELATED, ESTABLISHED-j ACCPT

Allow icmp ech0 request:

# Iptables-A-FORWARD-s 192.168.1.0/24-p icmp-type 8-j ACCPT

Set that only the server can send files to the client through network neighbors.

# Iptables-a forward-s 192.168.1.100/24-d 192.168.1.200/24-p tcp-dport 139-j ACCPT

# Iptables-a forward-s 192.168.1.100, 24-d 192.168.1.200/24-p tcp-dport 445-j

ACCPT

This is OK.