[CentOS] bridge connection and two linux servers
Arif Hossain
aftnix at gmail.com
Tue Apr 17 13:27:17 UTC 2012
On Tue, Apr 17, 2012 at 6:54 PM, Benjamin Hackl <b.hackl at focusmr.com> wrote:
> On Tue, 17 Apr 2012 16:07:36 +0600
> Arif Hossain <aftnix at gmail.com> wrote:
>
>> I think i've failed to describe what i'm trying to do. So i'm
>> describing it again.
>>
>> The client will send request to the BOX2's IP. BOX1's IP used only for
>> management purposes.
>
> You're looking for a bridging firewall, it probably should look like this:
>
>
> +--------+ +---------- internet line
> | box1 | |
> | | | +--------+
> | eth2---bad-+ | box2 |
> | |br| | | |
> | eth1--good-------eth1 |
> | | | |
> | eth0------+------eth0 |
> | | | | |
> +--------+ | +--------+
> |
> lan
>
> eth0 is the (optional) internal management network
>
> you'll need the following configurations on box1:
>
>
> In /etc/sysconfig/network-scripts/ifcfg-br0
> DEVICE=br0
> TYPE=Bridge
> ONBOOT=yes
> DELAY=0
> BOOTPROTO=none
>
> In /etc/sysconfig/network-scripts/ifcfg-eth1
> DEVICE=eth1
> HWADDR=<MAC>
> ONBOOT=yes
> BRIDGE=br0
>
> In /etc/sysconfig/network-scripts/ifcfg-eth2
> DEVICE=eth2
> HWADDR=<MAC>
> ONBOOT=yes
> BRIDGE=br0
>
>
> Restart your networking:
> service network restart
>
> Verify the bridge is set up:
> brctl show
>
> You probably want to netfilter your br0 device, I recommend shorewall:
>
> Here is a short example. I'll put eth1 in zone good and eth2 in zone
> bad. eth0 will be in zone loc. I will allow all outgoing traffic from
> box2 to the internet and filter all incoming except for https and icmp
> ping. This example requires shorewall > 4.0. This example is for ipv4
> only, ipv6 requires shorewall6.
>
>
> In /etc/shorewall/interfaces
> #ZONE INTERFACE BROADCAST OPTIONS
>
> # Your isp
> inet br0 - bridge,proxyarp,routefilter
> bad br0:eth2 - physical=eth2
> good br0:eth1 - physical=eth1
>
> # local network
> loc eth0 detect routeback
>
>
> In /etc/shorewall/zones
> #ZONE TYPE
> fw firewall
> loc ipv4
> inet ipv4
> bad:inet bport
> good:inet bport
> #END
>
> In /etc/shorewall/policy
> #SOURCE DEST POLICY LOG
>
> # allow local to firewall and vice versa
> loc fw ACCEPT
> fw loc ACCEPT
>
> # the next line allows all outgoing (from good to bad) traffic.
> # you can also reject outgoing traffic and set single allow rules in
> # the file /etc/shorewall/rules (see below)
> good bad ACCEPT
>
> # drop all other
> bad all DROP info
> all all DROP info
> #END
>
> In /etc/shorewall/rules
> #ACTION SOURCE DEST PROTO DEST
> # e.g. allow ping and https only for public ip (1.2.3.4)
> ACCEPT bad good:1.2.3.4 tcp https
> ACCEPT bad good:1.2.3.4 icmp 8
> #END
>
thanks for the reply. i will try your solution and post results
More information about the CentOS
mailing list