Instance resolution: Linux system transparent firewall related settings

                  Sometimes, we don't want to change the original network environment, and often manage the network security. At this time, we can use the transparent firewall. At this time, we use the module of the bridge. Of course, it belongs to the second layer. .

Lab Environment:

server ——firewall——client

server ip address: 192.168.1.100

client ip address: 192.168.1.200

firewall ip address :192.168.1.1

Requirements:

Only allow servers to pass through the network neighborhood The file is transferred to the client (this process is one-way), the server and the client can mutually confirm each other through the icmp echo request (this process is two-way) //This article is transferred from www.45it.com computer software and hardware application network

Steps:

1. Bind a network card to a bridge interface (

The firewall must have at least two network cards, then Bind them together, the firewall can be bridged, first need to install the bridge-utils and bridge-utils-devel two components, these two components will bind eth0 and eth1 into a bridge device, in line with our requirements . My environment is rhcl 4.4 fake settings, these two components are available on the CD

#rpm-ivh bridge-util-×

Then bind eth0 and eth1 to bri0 Interface

#ifconfig eth0 0.0.0.0

#ifconfig eth1 0.0.0.0

#brctl addbr bri0

#brctl addif bri0 eth0

#brctl addif bri1 eth1

Use brctl show to confirm:

#brctl show

birdge name bridge id STP enable interface

bri0 8000.000347305b3 no eth0

eth1

Here's the problem

Here, since the bri0 interface has been established Now, is it written to the ip address above? The answer is yes,

With the ip address we can do remote control, there are two ways to set up, one is manually written, the second is obtained by dhcp server

Manually written:

#ifconfig bri0 192.168.1.1 netmask 255.255.255.0 up

dhcp client

# dhclient bri0

The above can write shell scripts, each time the boot automatically executes, I use rhel 4.4 in /etc/rc.local

2. Set firewall forwarding function

#vi /etc/systcl.conf

#Controls ip packet forwarding

net.ipv4.ip_forwarding = 1

#sysctl -p

Can test, the current server and client network connection xing

3. Set the strategy

As for the strategy is to play iptables, the basic part I will not believe Everyone understands that it is deeper than me, because today is a day of rest and the handwriting is sour.

Go to the topic:

For security reasons, first set the forward default policy to drop and only release the smb protocol and icmp ech0 request

# iptables -P FORWARD DROP

At this time, the server and client are currently not connected.

Setting allows n packets to pass:

# iptables —A FORWARD -m state -state RELATED,ESTABLISHED -j ACCPT

Allow icmp ech0 request:

#iptables -A -FORWARD -s 192.168.1.0/24 -p icmp -icmp-type 8 - j ACCPT

Set only server to send files to client via Network Neighborhood

#iptables -A FORWARD -s 192.168.1.100/24 ​​-d 192.168.1.200/24 ​​-p tcp -dport 139 -j ACCPT

#iptables -A FORWARD -s 192.168.1.100,24 -d 192.168.1.200/24 ​​-p tcp -dport 445 -j

ACCPT

This is OK.