Linux Transparent firewall configuration detailed

In general, the two network interfaces of a firewall should belong to two different networks, forwarding packets between two interfaces based on the access rules defined by the system administrator, or rejecting and discarding packets. In fact, the firewall is not only the function of access control, but also serves as the role of the router. Of course, there's nothing wrong with that, but when you try to put your configured Linux firewall into the running network to protect your existing system, you have to rethink and change your network architecture. Another possible problem is that when there is a firewall accident, if there is no hardware backup of the firewall, then you will face great psychological pressure, because the firewall failure, the entire network is paralyzed. If you configure the firewall to be transparent (known as a pseudo Network bridge), there is no need to change the network architecture, even if the firewall can not work, to do is just unplug the network cable, the net cable directly inserted in the router's internal interface can make it work properly, and then you have time to slowly restore the failure of the firewall.

Well, since the transparent firewall has so many conveniences, let's hurry to configure it! Prepare a PC, two network cards (recommended 3com network card), a number of network cable, REDHATLINUX9 installation disk set. Open the chassis, plug the two network cards into the PCI slot of the computer, connect the computer to the gateway and the switch with a network cable (as in the previous page "normal"); cover the computer, plug in the power, and turn the machine on. Install the Linux system by placing the LINUX9 installation CD in the optical drive and booting the computer from the CD. Choose Custom installation, do not conservative, spend a little more time to experience the installation of the graphics interface fun, remove the firewall (nofirewall), at the end of the installation to choose to log into the system text, complete the installation.

Transparent firewall feature configuration:

1, set the network address. Modify the file/etc/sysconfig/network-scripts/ifcfg-eth0 and/etc/sysconfig/network-scripts/ifcfg-eth1 so that it has the same IP address, the same subnet mask.

Use VI to edit the following, save the file, run the command Servicenetworkrestart make the changes take effect.

Device=eth0

Bootproto=none

broadcast=192.168.1.255

ipaddr=192.168.1.254

netmask=255.255.255.0

network=192.168.1.0

Onboot=yes

Userctl=no

Peerdns=no

Type=ethernetdevice=eth1

Bootproto=none

broadcast=192.168.1.255

ipaddr=192.168.1.254

netmask=255.255.255.0

network=192.168.1.0

Onboot=yes

Userctl=no

Peerdns=no

Type=ethernet

Here need to pay attention to two places, the first is to distinguish between that one network card is eth0, that one is eth1. This is a critical issue, and if you confuse it, it will cause the firewall not to connect to the network. As for how to distinguish eth0 and eth1, I'll make a simple description at the end of the article. This assumes that the NIC connected to the router is eth0.

2, set the default route. After adding a line to the file/etc/sysconfig/network-scripts/ifcfg-eth0 gateway=192.168.1.1 run the command Servicenetworkrestart, the modification takes effect. Find an open ICMP protocol of the public network IP, with the command ping202.108.36.196 (http://www.163.com/host) to detect the connectivity of the extranet, if normal, indicating that the Linux firewall host and the external network configuration is correct. Then use the command ping192.168.1.18 to detect the connectivity between the firewall host and the intranet host, if normal, proceed to the next step.

3, enable network forwarding and Proxy_arp. This is the core of the transparent firewall, I write them into the file/etc/rc.d/rc.local. Insert the following with Vi/etc/rc.d/rc.local.

#Ipforward

/sbin/sysctl-wnet.ipv4.conf.all.forwarding=1

#Enableproxy-arp

/sbin/sysctl-wnet.ipv4.conf.eth0.proxy_arp=1

/sbin/sysctl-wnet.ipv4.conf.eth1.proxy_arp=1

In this step, I used to spend more time, because I do not refer to the book in this step without parameters "–w", and then run alone sysctlnet.ipv4.conf.eth0.proxy_arp=1 found redhatLinux9 no parameters "-W" Cannot run.

4, specify the route. Because two network adapters (ETH0,ETH1) Use the same IP, if you do not specifically specify the forwarding path, it will cause routing confusion, so that the computer within the firewall can not access the Internet. or use the command VI to modify the file/etc/rc.d/rc.local, insert the following lines.

#Defineroute

/sbin/iproutedel192.168.1.0/24deveth0

/sbin/iprouteadd192.168.1.1deveth0

/sbin/iprouteadd192.168.1.0/24deveth1

Save the file, restart the computer/linux firewall, if not unexpectedly, you can access the Internet from 192.168.1.18 this host, of course, any machine inside the intranet can access the Internet. Here is a description of the defined route (Defineroute):/sbin/iproutedel192.168.1.0/24deveth0 indicates that all packets to the subnet 192.168.1.0/24 are not forwarded from the network card eth0 and forwarded from ETH1. that command/sbin/iprouteadd192.168.1.0/24deveth1;/sbin/ Iprouteadd192.168.1.1deveth0 indicates that all packets to 192.168.1.1 are forwarded by eth0, which can actually be understood as the division of data forwarding for two network adapters- The packets to the 192.168.1.1 are responsible by the eth0, and the rest by the eth1. To this step, congratulations! Half has been successful, if you install Linux, the choice of firewall rules for the medium level, then the firewall has been configured successfully. I believe we are all the same and willing to give up.