B.4. 设定网桥防火墙

This information was contributed by Francois Bayart in order to help users set up a Linux bridge/firewall with the 2.4.x kernel and iptables. Kernel patches are no more needed as the code was made standard part of the Linux kernel distribution.

配置内核提供必要的支持, 运行 make menuconfigmake menuconfig. 在 Networking options 部分, 启用下边的选项:

  1. [*] Network packet filtering (replaces ipchains)
  2. [ ]   Network packet filtering debugging (NEW)
  3. <*> 802.1d Ethernet Bridging
  4. [*]   netfilter (firewalling) support (NEW)

小心: 您如果要应用一些防火墙规则, 必须禁用此项, 否则 iptables 不会工作.

  1. [ ]   Network packet filtering debugging (NEW)

Next, add the correct options in the section IP: Netfilter Configuration. Then, compile and install the kernel. If you want to do it the Debian way, install kernel-package and run make-kpkg to create a custom Debian kernel package you can install on your server using dpkg. Once the new kernel is compiled and installed, install the bridge-utils package.

完成这些步骤后, 您就可以完成网桥的配置了. 下边的部分给出两种不通的配置网桥的可用方法, 都给出了假定的网络映射和必要的命令.

B.4.1. 提供 NAT 和防火墙能力的网桥

这个配置使用桥梁作为带有网络地址转发(NAT)功能的防火墙, 用于保护服务器和内部局域网客户端. 下边给出的是网络布局图::

  1. Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)
  2.                                           |
  3.                                           |
  4.                                           |---- WWW Server (62.3.3.27 gw 62.3.3.25)
  5.                                           |
  6.                                           |
  7.                                          LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)

-#-#-#-# zh-CN_3.1/appendix.sgml:492 #-#-#-#-# 下边给出配置这个网桥的命令. #-#-#-#-# zh-CN_3.1/appendix.sgml:533 #-#-#-#-# 以下命令为配置网桥的过程.

  1. # Create the interface br0
  2. /usr/sbin/brctl addbr br0
  3.  
  4. # Add the Ethernet interface to use with the bridge
  5. /usr/sbin/brctl addif br0 eth0
  6. /usr/sbin/brctl addif br0 eth1
  7.  
  8. # Start up the Ethernet interface
  9. /sbin/ifconfig eth0 0.0.0.0
  10. /sbin/ifconfig eth1 0.0.0.0
  11.  
  12. # Configure the bridge ethernet
  13. # The bridge will be correct and invisible ( transparent firewall ).
  14. # It's hidden in a traceroute and you keep your real gateway on the 
  15. # other computers. Now if you want you can config a gateway on your 
  16. # bridge and choose it as your new gateway for the other computers.
  17.  
  18. /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31
  19.  
  20. # I have added this internal IP to create my NAT 
  21. ip addr add 192.168.0.1/24 dev br0
  22. /sbin/route add default gw 62.3.3.25

B.4.2. 提供防火墙能力的网桥

这种可能的配置用于系统用于为拥有公网IP地址的内外提供透明的防火墙.

  1. Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)
  2.                                         |
  3.                                         |
  4.                                         |---- WWW Server (62.3.3.28 gw 62.3.3.25)
  5.                                         |
  6.                                         |
  7.                                         |---- Mail Server (62.3.3.27 gw 62.3.3.25)

-#-#-#-# zh-CN_3.1/appendix.sgml:492 #-#-#-#-# 下边给出配置这个网桥的命令. #-#-#-#-# zh-CN_3.1/appendix.sgml:533 #-#-#-#-# 以下命令为配置网桥的过程.

  1. # Create the interface br0
  2. /usr/sbin/brctl addbr br0
  3.  
  4. # Add the Ethernet interface to use with the bridge
  5. /usr/sbin/brctl addif br0 eth0
  6. /usr/sbin/brctl addif br0 eth1
  7.  
  8. # Start up the Ethernet interface
  9. /sbin/ifconfig eth0 0.0.0.0
  10. /sbin/ifconfig eth1 0.0.0.0
  11.  
  12. # Configure the bridge Ethernet
  13. # The bridge will be correct and invisible ( transparent firewall ).
  14. # It's hidden in a traceroute and you keep your real gateway on the 
  15. # other computers. Now if you want you can config a gateway on your
  16. # bridge and choose it as your new gateway for the other computers.
  17.  
  18. /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31

如果 traceroute Linux 邮件服务器, 您不会看到网桥. 如果想使用 ssh 访问网桥, 则必须拥有一个网关,或者首先联接到其它服务器, 如”邮件服务器”. 然后通过内部网卡联接到网桥.

B.4.3. Basic IPtables rules

这是基本规则的范例, 可用于任何的设定.

例 B.1. Basic Iptables rules

  1. iptables -F FORWARD
  2. iptables -P FORWARD DROP
  3. iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
  4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  5.  
  6. # Some funny rules but not in a classic Iptables sorry ...
  7. # Limit ICMP 
  8. # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT
  9. # Match string, a good simple method to block some VIRUS very quickly
  10. # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"
  11.  
  12. # Block all MySQL connection just to be sure
  13. iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP
  14.  
  15. # Linux Mail Server Rules
  16.  
  17. # Allow FTP-DATA (20), FTP (21), SSH (22) 
  18. iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT
  19.  
  20. # Allow the Mail Server to connect to the outside
  21. # Note: This is *not* needed for the previous connections 
  22. # (remember: stateful filtering) and could be removed.
  23. iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT
  24.  
  25. # WWW Server Rules
  26.  
  27. # Allow HTTP ( 80 ) connections with the WWW server
  28. iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT
  29.  
  30. # Allow HTTPS ( 443 ) connections with the WWW server
  31. iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT
  32.  
  33. # Allow the WWW server to go out
  34. # Note: This is *not* needed for the previous connections 
  35. # (remember: stateful filtering) and could be removed.
  36. iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT