[CentOS] bridge connection and two linux servers
Benjamin Hackl
b.hackl at focusmr.com
Tue Apr 17 12:54:38 UTC 2012
On Tue, 17 Apr 2012 16:07:36 +0600
Arif Hossain <aftnix at gmail.com> wrote:
> I think i've failed to describe what i'm trying to do. So i'm
> describing it again.
>
> The client will send request to the BOX2's IP. BOX1's IP used only for
> management purposes.
You're looking for a bridging firewall, it probably should look like this:
+--------+ +---------- internet line
| box1 | |
| | | +--------+
| eth2---bad-+ | box2 |
| |br| | | |
| eth1--good-------eth1 |
| | | |
| eth0------+------eth0 |
| | | | |
+--------+ | +--------+
|
lan
eth0 is the (optional) internal management network
you'll need the following configurations on box1:
In /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
DELAY=0
BOOTPROTO=none
In /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
HWADDR=<MAC>
ONBOOT=yes
BRIDGE=br0
In /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
HWADDR=<MAC>
ONBOOT=yes
BRIDGE=br0
Restart your networking:
service network restart
Verify the bridge is set up:
brctl show
You probably want to netfilter your br0 device, I recommend shorewall:
Here is a short example. I'll put eth1 in zone good and eth2 in zone
bad. eth0 will be in zone loc. I will allow all outgoing traffic from
box2 to the internet and filter all incoming except for https and icmp
ping. This example requires shorewall > 4.0. This example is for ipv4
only, ipv6 requires shorewall6.
In /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
# Your isp
inet br0 - bridge,proxyarp,routefilter
bad br0:eth2 - physical=eth2
good br0:eth1 - physical=eth1
# local network
loc eth0 detect routeback
In /etc/shorewall/zones
#ZONE TYPE
fw firewall
loc ipv4
inet ipv4
bad:inet bport
good:inet bport
#END
In /etc/shorewall/policy
#SOURCE DEST POLICY LOG
# allow local to firewall and vice versa
loc fw ACCEPT
fw loc ACCEPT
# the next line allows all outgoing (from good to bad) traffic.
# you can also reject outgoing traffic and set single allow rules in
# the file /etc/shorewall/rules (see below)
good bad ACCEPT
# drop all other
bad all DROP info
all all DROP info
#END
In /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST
# e.g. allow ping and https only for public ip (1.2.3.4)
ACCEPT bad good:1.2.3.4 tcp https
ACCEPT bad good:1.2.3.4 icmp 8
#END
--
Freundliche Gruesse/Best Regards
Benjamin Hackl
IT/Administration
Media FOCUS Research Ges.m.b.H.
Maculangasse 8, 1220 Wien Austria
Tel: +43 1 258 97 01-295
b.hackl at focusmr.com
More information about the CentOS
mailing list