Linux transparent Firewall

Linux transparent firewall-Linux Enterprise Application-Linux server application information. For details, refer to the following section. Original: Lover Qiyi
Sometimes, we don't want to change the original network environment to regularly manage network security. At this time, we can use transparent firewalls. At this time, we will use the bridge module, of course it belongs to the second layer.

The following is my lab environment:

Server ----------- firewall ------------ client

Server ip address: 192.168.1.100
Client ip address: 192.168.1.200
Firewall ip address: 192.168.1.1

Requirements:
Only the server can transmit the lecture files to the client through the network neighbors (this process is unidirectional ), the server and client can use icmp echo request to determine the connection between each other (this process is bidirectional)

Steps:

1. Bind a network card to form a bridge interface)
Firewall requires at least two NICs and binds them. firewall can be a bridge. First, you need to install the bridge-utils and bridge-utils-devel components, these two components bind eth0 and eth1 to a bridge device, which meets our requirements. My environment is a false setting of rhcl 4.4. These two components are available on the CD.
# Rpm-ivh bridge-util-×

Then, bind eth0 and eth1 to the bri0 interface.
# Ifconfig eth0 0.0.0.0
# Ifconfig eth1 0.0.0.0
# Brctl addbr bri0
# Brctl addif bri0 eth0
# Brctl addif bri1 eth1

Use brctl show to confirm:
# Brctl show
Birdge name bridge id STP enable interface
Bri0 8000.000da-305b3 no eth0
Eth1
Problem
Now that bri0 interface has been set up, do you want to write an IP address to it? The answer is yes,
With the IP address, we can achieve remote control. There are two ways to set up, one is manual writing, and the other is obtained through the dhcp server.

Manual writing:
# Ifconfig bri0 192.168.1.1 netmask 255.255.255.0 up
Dhcp client
# Dhclient bri0

The above code can be used to write a shell script, which is automatically executed at startup. I use rhel 4.4 and put it in/etc/rc. local.

2. Set the firewall forwarding function

# Vi/etc/openccl. conf
# Controls ip packet forwarding
Net. ipv4.ip _ forwarding = 1
# Sysctl-p

You can test whether the current network connection between the server and the client is xing.

3. Set policies

As for the strategy, it is playing iptables. I will not talk about the basic part. I believe everyone understands it better than me, because today is a day of rest, and handwriting is sour.
Enter the topic:
For security, set forward default policy to drop to allow only smb protocol and icmp ech0 request
# Iptables-P FORWARD DROP
At this time, the server and client must be disconnected at present.
Set to allow n Packets to pass through:
# Iptables-a forward-m state-state RELATED, ESTABLISHED-j ACCPT
Allow icmp ech0 request:
# Iptables-A-FORWARD-s 192.168.1.0/24-p icmp-type 8-j ACCPT
Set that only the server can send files to the client through network neighbors.
# Iptables-a forward-s 192.168.1.100/24-d 192.168.1.200/24-p tcp-dport 139-j ACCPT

# Iptables-a forward-s 192.168.1.100, 24-d 192.168.1.200/24-p tcp-dport 445-j
ACCPT

This is ko.