[CentOS] bridge connection and two linux servers

Tue Apr 17 12:54:38 UTC 2012

On Tue, 17 Apr 2012 16:07:36 +0600
Arif Hossain <aftnix at gmail.com> wrote:

> I think i've failed to describe what i'm trying to do. So i'm
> describing it again.
> 
> The client will send request to the BOX2's IP. BOX1's IP used only for
> management purposes.

You're looking for a bridging firewall, it probably should look like this:

+--------+     +---------- internet line
|  box1  |     |
|        |     |   +--------+
|   eth2---bad-+   |  box2  |
|   |br| |         |        |
|   eth1--good-------eth1   |
|        |         |        |
|   eth0------+------eth0   |
|        |    |    |        |
+--------+    |    +--------+
              |
             lan

eth0 is the (optional) internal management network

you'll need the following configurations on box1:

In /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
ONBOOT=yes
DELAY=0
BOOTPROTO=none

In /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
HWADDR=<MAC>
ONBOOT=yes
BRIDGE=br0

In /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
HWADDR=<MAC>
ONBOOT=yes
BRIDGE=br0

Restart your networking:
service network restart

Verify the bridge is set up:
brctl show

You probably want to netfilter your br0 device, I recommend shorewall:

Here is a short example. I'll put eth1 in zone good and eth2 in zone
bad. eth0 will be in zone loc. I will allow all outgoing traffic from
box2 to the internet and filter all incoming except for https and icmp
ping. This example requires shorewall > 4.0. This example is for ipv4
only, ipv6 requires shorewall6.

In /etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS

# Your isp
inet    br0     -                       bridge,proxyarp,routefilter
bad     br0:eth2        -               physical=eth2
good    br0:eth1        -               physical=eth1

# local network
loc     eth0            detect          routeback

In /etc/shorewall/zones
#ZONE           TYPE
fw              firewall
loc             ipv4
inet            ipv4
bad:inet        bport
good:inet       bport
#END

In /etc/shorewall/policy
#SOURCE DEST    POLICY         LOG

# allow local to firewall and vice versa
loc     fw      ACCEPT
fw      loc     ACCEPT

# the next line allows all outgoing (from good to bad) traffic.
# you can also reject outgoing traffic and set single allow rules in
# the file /etc/shorewall/rules (see below)
good    bad     ACCEPT

# drop all other
bad     all     DROP           info
all     all     DROP           info
#END

In /etc/shorewall/rules
#ACTION         SOURCE          DEST                    PROTO   DEST
# e.g. allow ping and https only for public ip (1.2.3.4)
ACCEPT          bad             good:1.2.3.4            tcp     https
ACCEPT          bad             good:1.2.3.4            icmp    8
#END

-- 
Freundliche Gruesse/Best Regards
Benjamin Hackl
IT/Administration

Media FOCUS Research Ges.m.b.H.
Maculangasse 8, 1220 Wien Austria
Tel: +43 1 258 97 01-295
b.hackl at focusmr.com