[CentOS] bridge connection and two linux servers

Tue Apr 17 13:27:17 UTC 2012
Arif Hossain <aftnix at gmail.com>

On Tue, Apr 17, 2012 at 6:54 PM, Benjamin Hackl <b.hackl at focusmr.com> wrote:
> On Tue, 17 Apr 2012 16:07:36 +0600
> Arif Hossain <aftnix at gmail.com> wrote:
>
>> I think i've failed to describe what i'm trying to do. So i'm
>> describing it again.
>>
>> The client will send request to the BOX2's IP. BOX1's IP used only for
>> management purposes.
>
> You're looking for a bridging firewall, it probably should look like this:
>
>
> +--------+     +---------- internet line
> |  box1  |     |
> |        |     |   +--------+
> |   eth2---bad-+   |  box2  |
> |   |br| |         |        |
> |   eth1--good-------eth1   |
> |        |         |        |
> |   eth0------+------eth0   |
> |        |    |    |        |
> +--------+    |    +--------+
>              |
>             lan
>
> eth0 is the (optional) internal management network
>
> you'll need the following configurations on box1:
>
>
> In /etc/sysconfig/network-scripts/ifcfg-br0
> DEVICE=br0
> TYPE=Bridge
> ONBOOT=yes
> DELAY=0
> BOOTPROTO=none
>
> In /etc/sysconfig/network-scripts/ifcfg-eth1
> DEVICE=eth1
> HWADDR=<MAC>
> ONBOOT=yes
> BRIDGE=br0
>
> In /etc/sysconfig/network-scripts/ifcfg-eth2
> DEVICE=eth2
> HWADDR=<MAC>
> ONBOOT=yes
> BRIDGE=br0
>
>
> Restart your networking:
> service network restart
>
> Verify the bridge is set up:
> brctl show
>
> You probably want to netfilter your br0 device, I recommend shorewall:
>
> Here is a short example. I'll put eth1 in zone good and eth2 in zone
> bad. eth0 will be in zone loc. I will allow all outgoing traffic from
> box2 to the internet and filter all incoming except for https and icmp
> ping. This example requires shorewall > 4.0. This example is for ipv4
> only, ipv6 requires shorewall6.
>
>
> In /etc/shorewall/interfaces
> #ZONE   INTERFACE       BROADCAST       OPTIONS
>
> # Your isp
> inet    br0     -                       bridge,proxyarp,routefilter
> bad     br0:eth2        -               physical=eth2
> good    br0:eth1        -               physical=eth1
>
> # local network
> loc     eth0            detect          routeback
>
>
> In /etc/shorewall/zones
> #ZONE           TYPE
> fw              firewall
> loc             ipv4
> inet            ipv4
> bad:inet        bport
> good:inet       bport
> #END
>
> In /etc/shorewall/policy
> #SOURCE DEST    POLICY         LOG
>
> # allow local to firewall and vice versa
> loc     fw      ACCEPT
> fw      loc     ACCEPT
>
> # the next line allows all outgoing (from good to bad) traffic.
> # you can also reject outgoing traffic and set single allow rules in
> # the file /etc/shorewall/rules (see below)
> good    bad     ACCEPT
>
> # drop all other
> bad     all     DROP           info
> all     all     DROP           info
> #END
>
> In /etc/shorewall/rules
> #ACTION         SOURCE          DEST                    PROTO   DEST
> # e.g. allow ping and https only for public ip (1.2.3.4)
> ACCEPT          bad             good:1.2.3.4            tcp     https
> ACCEPT          bad             good:1.2.3.4            icmp    8
> #END
>

thanks for the reply. i will try  your solution and post results