Difference between revisions of "Bridge Firewall Linux"
From MS Computech
| Line 10: | Line 10: | ||
# ifconfig eth1 0.0.0.0 up | # ifconfig eth1 0.0.0.0 up | ||
# ifconfig br0 1.1.1.1 netmask 255.0.0.0 up | # ifconfig br0 1.1.1.1 netmask 255.0.0.0 up | ||
| − | # route add default gw 1.1.1.1</pre> | + | # route add default gw 1.1.1.1</pre> |
Put all above config in /etc/rc.local | Put all above config in /etc/rc.local | ||
| − | Install vuurmuur iptables gui for [http://www.vuurmuur.org/trac/wiki/InstallationDebian Debian&Ubuntu]. | + | Install vuurmuur iptables gui for [http://www.vuurmuur.org/trac/wiki/InstallationDebian Debian&Ubuntu]. Or manual iptables |
| + | |||
| + | This is an example of the basic rules that could be used for either of these setups. | ||
| + | <pre> iptables -F FORWARD | ||
| + | iptables -P FORWARD DROP | ||
| + | iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP | ||
| + | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | |||
| + | # Some funny rules but not in a classic Iptables sorry ... | ||
| + | # Limit ICMP | ||
| + | # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT | ||
| + | # Match string, a good simple method to block some VIRUS very quickly | ||
| + | # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" | ||
| + | |||
| + | # Block all MySQL connection just to be sure | ||
| + | iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP | ||
| + | |||
| + | # Linux Mail Server Rules | ||
| + | |||
| + | # Allow FTP-DATA (20), FTP (21), SSH (22) | ||
| + | iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT | ||
| + | |||
| + | # Allow the Mail Server to connect to the outside | ||
| + | # Note: This is *not* needed for the previous connections | ||
| + | # (remember: stateful filtering) and could be removed. | ||
| + | iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT | ||
| + | |||
| + | # WWW Server Rules | ||
| + | |||
| + | # Allow HTTP ( 80 ) connections with the WWW server | ||
| + | iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT | ||
| + | |||
| + | # Allow HTTPS ( 443 ) connections with the WWW server | ||
| + | iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT | ||
| + | |||
| + | # Allow the WWW server to go out | ||
| + | # Note: This is *not* needed for the previous connections | ||
| + | # (remember: stateful filtering) and could be removed. | ||
| + | iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT | ||
| + | |||
| + | |||
| + | </pre> | ||
Revision as of 10:47, 12 July 2008
Bridge Firewall Linux
I'm use this install on debian etch.
# apt-get install bridge-utils # brctl addbr br0 # brctl addif br0 eth0 # brctl addif br0 eth1 # brctl stp br0 on # ifconfig eth0 0.0.0.0 up # ifconfig eth1 0.0.0.0 up # ifconfig br0 1.1.1.1 netmask 255.0.0.0 up # route add default gw 1.1.1.1
Put all above config in /etc/rc.local
Install vuurmuur iptables gui for Debian&Ubuntu. Or manual iptables
This is an example of the basic rules that could be used for either of these setups.
iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Some funny rules but not in a classic Iptables sorry ... # Limit ICMP # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT # Match string, a good simple method to block some VIRUS very quickly # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" # Block all MySQL connection just to be sure iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP # Linux Mail Server Rules # Allow FTP-DATA (20), FTP (21), SSH (22) iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT # Allow the Mail Server to connect to the outside # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT # WWW Server Rules # Allow HTTP ( 80 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT # Allow HTTPS ( 443 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT # Allow the WWW server to go out # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT
