Linux transparent firewall-Linux Enterprise Application-Linux server application information. For details, refer to the following section. Original: Lover Qiyi
Sometimes, we don't want to change the original network environment to regularly manage network security. At this time, we can use transparent firewalls. At this time, we will use the bridge module, of course it belongs to the second layer.
The following is my lab environment:
Server ----------- firewall ------------ client
Server ip address: 192.168.1.100
Client ip address: 192.168.1.200
Firewall ip address: 192.168.1.1
Requirements:
Only the server can transmit the lecture files to the client through the network neighbors (this process is unidirectional ), the server and client can use icmp echo request to determine the connection between each other (this process is bidirectional)
Steps:
1. Bind a network card to form a bridge interface)
Firewall requires at least two NICs and binds them. firewall can be a bridge. First, you need to install the bridge-utils and bridge-utils-devel components, these two components bind eth0 and eth1 to a bridge device, which meets our requirements. My environment is a false setting of rhcl 4.4. These two components are available on the CD.
# Rpm-ivh bridge-util-×
Use brctl show to confirm:
# Brctl show
Birdge name bridge id STP enable interface
Bri0 8000.000da-305b3 no eth0
Eth1
Problem
Now that bri0 interface has been set up, do you want to write an IP address to it? The answer is yes,
With the IP address, we can achieve remote control. There are two ways to set up, one is manual writing, and the other is obtained through the dhcp server.
You can test whether the current network connection between the server and the client is xing.
3. Set policies
As for the strategy, it is playing iptables. I will not talk about the basic part. I believe everyone understands it better than me, because today is a day of rest, and handwriting is sour.
Enter the topic:
For security, set forward default policy to drop to allow only smb protocol and icmp ech0 request
# Iptables-P FORWARD DROP
At this time, the server and client must be disconnected at present.
Set to allow n Packets to pass through:
# Iptables-a forward-m state-state RELATED, ESTABLISHED-j ACCPT
Allow icmp ech0 request:
# Iptables-A-FORWARD-s 192.168.1.0/24-p icmp-type 8-j ACCPT
Set that only the server can send files to the client through network neighbors.
# Iptables-a forward-s 192.168.1.100/24-d 192.168.1.200/24-p tcp-dport 139-j ACCPT
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.