Bridge Firewall Linux
From MS Computech
Bridge Firewall Linux
ผมใช้วิธีนี้ติดตั้งบน Debian etch.
# apt-get install bridge-utils
นำConfig ทั้งหมดไส่ใน /etc/rc.local
nano /etc/rc.local
# Bridge Interface ifconfig eth0 down ifconfig eth1 down brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 brctl stp br0 on ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up ifconfig br0 192.168.1.107 netmask 255.255.255.0 up route add default gw 192.168.1.1
ติดตั้ง vuurmuur iptables gui สำหรับวิธีการติดตั้ง >> Debian&Ubuntu.
ตัวอย่างการกำหนด Rule เพิ่มเติมครับ.
iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Some funny rules but not in a classic Iptables sorry ... # Limit ICMP # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT # Match string, a good simple method to block some VIRUS very quickly # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" # Block all MySQL connection just to be sure iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP # Linux Mail Server Rules # Allow FTP-DATA (20), FTP (21), SSH (22) iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT # Allow the Mail Server to connect to the outside # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT # WWW Server Rules # Allow HTTP ( 80 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT # Allow HTTPS ( 443 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT # Allow the WWW server to go out # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT
