On Tue, Apr 17, 2012 at 6:54 PM, Benjamin Hackl b.hackl@focusmr.com wrote:
On Tue, 17 Apr 2012 16:07:36 +0600 Arif Hossain aftnix@gmail.com wrote:
I think i've failed to describe what i'm trying to do. So i'm describing it again.
The client will send request to the BOX2's IP. BOX1's IP used only for management purposes.
You're looking for a bridging firewall, it probably should look like this:
+--------+ +---------- internet line | box1 | | | | | +--------+ | eth2---bad-+ | box2 | | |br| | | | | eth1--good-------eth1 | | | | | | eth0------+------eth0 | | | | | | +--------+ | +--------+ | lan
eth0 is the (optional) internal management network
you'll need the following configurations on box1:
In /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 TYPE=Bridge ONBOOT=yes DELAY=0 BOOTPROTO=none
In /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 HWADDR=<MAC> ONBOOT=yes BRIDGE=br0
In /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 HWADDR=<MAC> ONBOOT=yes BRIDGE=br0
Restart your networking: service network restart
Verify the bridge is set up: brctl show
You probably want to netfilter your br0 device, I recommend shorewall:
Here is a short example. I'll put eth1 in zone good and eth2 in zone bad. eth0 will be in zone loc. I will allow all outgoing traffic from box2 to the internet and filter all incoming except for https and icmp ping. This example requires shorewall > 4.0. This example is for ipv4 only, ipv6 requires shorewall6.
In /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS
# Your isp inet br0 - bridge,proxyarp,routefilter bad br0:eth2 - physical=eth2 good br0:eth1 - physical=eth1
# local network loc eth0 detect routeback
In /etc/shorewall/zones #ZONE TYPE fw firewall loc ipv4 inet ipv4 bad:inet bport good:inet bport #END
In /etc/shorewall/policy #SOURCE DEST POLICY LOG
# allow local to firewall and vice versa loc fw ACCEPT fw loc ACCEPT
# the next line allows all outgoing (from good to bad) traffic. # you can also reject outgoing traffic and set single allow rules in # the file /etc/shorewall/rules (see below) good bad ACCEPT
# drop all other bad all DROP info all all DROP info #END
In /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST # e.g. allow ping and https only for public ip (1.2.3.4) ACCEPT bad good:1.2.3.4 tcp https ACCEPT bad good:1.2.3.4 icmp 8 #END
thanks for the reply. i will try your solution and post results