make menuconfig o make xconfig. Nella sezione Networking options, abilitate le seguenti opzioni:
[*] Network packet filtering (replaces ipchains) [ ] Network packet filtering debugging (NEW) <*> 802.1d Ethernet Bridging [*] netfilter (firewalling) support (NEW)
iptables non funzionerà.
[ ] Network packet filtering debugging (NEW)
make-kpkg to create a custom Debian kernel package you can install on your server using dpkg. Once the new kernel is compiled and installed, install the bridge-utils package.
Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)
|
|
|---- WWW Server (62.3.3.27 gw 62.3.3.25)
|
|
LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)
# Create the interface br0 /usr/sbin/brctl addbr br0 # Add the Ethernet interface to use with the bridge /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 # Start up the Ethernet interface /sbin/ifconfig eth0 0.0.0.0 /sbin/ifconfig eth1 0.0.0.0 # Configure the bridge ethernet # The bridge will be correct and invisible ( transparent firewall ). # It's hidden in a traceroute and you keep your real gateway on the # other computers. Now if you want you can config a gateway on your # bridge and choose it as your new gateway for the other computers. /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31 # I have added this internal IP to create my NAT ip addr add 192.168.0.1/24 dev br0 /sbin/route add default gw 62.3.3.25
Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)
|
|
|---- WWW Server (62.3.3.28 gw 62.3.3.25)
|
|
|---- Mail Server (62.3.3.27 gw 62.3.3.25)
# Create the interface br0 /usr/sbin/brctl addbr br0 # Add the Ethernet interface to use with the bridge /usr/sbin/brctl addif br0 eth0 /usr/sbin/brctl addif br0 eth1 # Start up the Ethernet interface /sbin/ifconfig eth0 0.0.0.0 /sbin/ifconfig eth1 0.0.0.0 # Configure the bridge Ethernet # The bridge will be correct and invisible ( transparent firewall ). # It's hidden in a traceroute and you keep your real gateway on the # other computers. Now if you want you can config a gateway on your # bridge and choose it as your new gateway for the other computers. /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31
ssh, dovete avere un gateway, altrimenti dovreste prima connettervi ad un altro server, come il "Mail Server" ed in seguito connettervi al bridge tramite la scheda di rete interna.
Esempio B.1. Regole base di IPtables
iptables -F FORWARD iptables -P FORWARD DROP iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Some funny rules but not in a classic Iptables sorry ... # Limit ICMP # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT # Match string, a good simple method to block some VIRUS very quickly # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe" # Block all MySQL connection just to be sure iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP # Linux Mail Server Rules # Allow FTP-DATA (20), FTP (21), SSH (22) iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT # Allow the Mail Server to connect to the outside # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT # WWW Server Rules # Allow HTTP ( 80 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT # Allow HTTPS ( 443 ) connections with the WWW server iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT # Allow the WWW server to go out # Note: This is *not* needed for the previous connections # (remember: stateful filtering) and could be removed. iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT