I will show example how to configure bridge-firewall using linux.
You can see simple network’s schema below:
202.202.202.x -----------eth1- Bridge Firewall -eth0------ INTERNET
The rule is:
- PC with IP addres 202.202.202.x can access internet without filtering
- Internet can access IP Address 202.2002.202.x only on port 80 (http)
- Internet can not traceroute to IP 2022.202.202.x
Ok, let’s go start, install your linux distro (I’m use Centos 4) to pc that have 2 NIC. Then run command below:
ifdown eth0 -> down interface eth0
ifdown eth1 -> down interface eth1
ifconfig eth0 0.0.0.0 -> create ip 0.0.0.0 at eth0
ifconfig eth1 0.0.0.0 -> create ip 0.0.0.0 at eth1
brctl addbr java_ux -> add bridge java_ux
brctl addif java_ux eth0 -> add int eth0 to java_ux bridge
brctl addif java_ux eth1 -> add int eth1 to java_ux bridge
ifconfig java_ux up -> activate java_ux bridge
Ok, You have installed Bridge to your linux, then create firewall rule use iptables on your bridge:
# Delete all iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables --delete-chain
iptables -t nat --delete-chain
# Delete all chain user
iptables -X
# Create chain KEEP_STATE special
iptables -N KEEP_STATE
iptables -F KEEP_STATE
# Drop bad state
iptables -A KEEP_STATE -m state --state INVALID -j DROP
iptables -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny bad packet (optional)
#iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "NMAP-XMAS: "
#iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
#iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN/FIN: "
#iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN/RST: "
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Drop RST/ACKs to limit OS Detection via pinging (optional)
#iptables -A FORWARD -p tcp --tcp-flags RST RST,ACK -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "RST/ACK: "
#iptables -A FORWARD -p tcp --tcp-flags RST RST,ACK -j DROP
# Allow all for chain keep_state
iptables -A FORWARD -j KEEP_STATE
# If you want reject Outgoing traceroute (optional)
#iptables -A FORWARD -p udp -s 202.202.202.x/255.255.255.255 --sport 32769:65535 --dport 33434:33523 -j REJECT
# Reject Incoming traceroute
iptables -A FORWARD -p udp -s 202.202.202.x/255.255.255.255 --dport 32769:65535 --sport 33434:33523 -j REJECT
# Allow Internet access to port 80
iptables -A FORWARD -p tcp -d 202.202.202.x/255.255.255.255 --dport 80 -j ACCEPT
# Allow trafik outgoing
iptables -A FORWARD -s 202.202.202.x/255.255.255.255 -j ACCEPT
# Drop all rule that not allowed
iptables -A FORWARD -j DROP
You can create script file for rule above, example script.sh. Save script in /etc/rc.d/rc.local directory
If you want to disable bridge, you can run:
ifconfig java_ux down
brctl delif java_ux eth1
brctl delif java_ux eth0
brctl delbr java_ux
ifdown eth1
ifdown eth0
To Delete all firewall rules, you can run:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables --delete-chain
iptables -t nat --delete-chain
Don’t forget to activate ip forward on your linux, by running command:
echo "1" > /proc/sys/net/ipv4/ip_forward
Selasa, 15 Januari 2008
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar