分类: WINDOWS
2008-05-28 21:23:24
这些内容由 Francois Bayart 提供,以帮助用户使用 2.4.x kernel 和 iptables 配置Linux 网桥/防火墙. 内核的补丁代码已经成为 Linux 内核的标准, 因此不再需要额外的内核补丁.
配置内核提供必要的支持, 运行 make menuconfig 或 make menuconfig. 在 Networking options 部分, 启用下边的选项:
[*] Network packet filtering (replaces ipchains)
[ ] Network packet filtering debugging (NEW)
<*> 802.1d Ethernet Bridging
[*] netfilter (firewalling) support (NEW)
小心: 您如果要应用一些防火墙规则, 必须禁用此项, 否则 iptables 不会工作.
[ ] Network packet filtering debugging (NEW)
其次, 添加在 IP: Netfilter Configuration 部分添加正确的选项. 然后. 编译并安装内核. 如果您想以 Debian 的方式 完成这些工作, 安装 kernel-package 软件包, 并运行 make-kpkg 以构建一个通常的 Debian 内核软件包, 然后用 dpkg 安装. 一旦完成新内核的编译和安装, 安装 bridge-utils 软件包.
完成这些步骤后, 您就可以完成网桥的配置了. 下边的部分给出两种不通的配置网桥的可用方法, 都给出了假定的网络映射和必要的命令.
这个配置使用桥梁作为带有网络地址转发(NAT)功能的防火墙, 用于保护服务器和内部局域网客户端. 下边给出的是网络布局图::
互联网 ---- 路由器 ( 62.3.3.25 ) ---- 网桥 (62.3.3.26 网关 62.3.3.25 / 192.168.0.1)
|
|
|---- WWW 服务器 (62.3.3.27 网关 62.3.3.25)
|
|
LAN --- Zipowz (192.168.0.2 网关 192.168.0.1)
下边给出配置这个网桥的命令.
# Create the interface br0
/usr/sbin/brctl addbr br0
# Add the Ethernet interface to use with the bridge
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
# Start up the Ethernet interface
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
# Configure the bridge ethernet
# The bridge will be correct and invisible ( transparent firewall ).
# It's hidden in a traceroute and you keep your real gateway on the
# other computers. Now if you want you can config a gateway on your
# bridge and choose it as your new gateway for the other computers.
/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32
# I have added this internal IP to create my NAT
ip addr add 192.168.0.1/24 dev br0
/sbin/route add default gw 62.3.3.25
这种可能的配置用于系统用于为拥有公网IP地址的内外提供透明的防火墙.
互联网 ---- 路由器 (62.3.3.25) ---- 网桥 (62.3.3.26)
|
|
|---- WWW 服务器 (62.3.3.28 网关 62.3.3.25)
|
|
|---- 邮件服务器 (62.3.3.27 网关 62.3.3.25)
以下命令为配置网桥的过程.
# Create the interface br0
/usr/sbin/brctl addbr br0
# Add the Ethernet interface to use with the bridge
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1
# Start up the Ethernet interface
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0
# Configure the bridge Ethernet
# The bridge will be correct and invisible ( transparent firewall ).
# It's hidden in a traceroute and you keep your real gateway on the
# other computers. Now if you want you can config a gateway on your
# bridge and choose it as your new gateway for the other computers.
/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.32
如果 traceroute Linux 邮件服务器, 您不会看到网桥. 如果想使用 ssh 访问网桥, 则必须拥有一个网关,或者首先联接到其它服务器, 如"邮件服务器". 然后通过内部网卡联接到网桥.
这是基本规则的范例, 可用于任何的设定.
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Some funny rules but not in a classic Iptables sorry ...
# Limit ICMP
# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT
# Match string, a good simple method to block some VIRUS very quickly
# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"
# Block all MySQL connection just to be sure
iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP
# Linux Mail Server Rules
# Allow FTP-DATA ( 20 ) , FTP ( 21 ) , SSH ( 22 )
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT
# Allow the Mail Server to connect to the outside
# Note: This is *not* needed for the previous connections
# (remember: stateful filtering) and could be removed.
iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT
# WWW Server Rules
# Allow HTTP ( 80 ) connections with the WWW server
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT
# Allow HTTPS ( 443 ) connections with the WWW server
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT
# Allow the WWW server to go out
# Note: This is *not* needed for the previous connections
# (remember: stateful filtering) and could be removed.
iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT