Product SiteDocumentation Site

B.4. 设定网桥防火墙

This information was contributed by Francois Bayart in order to help users set up a Linux bridge/firewall with the 2.4.x kernel and iptables. Kernel patches are no more needed as the code was made standard part of the Linux kernel distribution.
配置内核提供必要的支持, 运行 make menuconfigmake menuconfig. 在 Networking options 部分, 启用下边的选项:
[*] Network packet filtering (replaces ipchains)
[ ]   Network packet filtering debugging (NEW)
<*> 802.1d Ethernet Bridging
[*]   netfilter (firewalling) support (NEW)
小心: 您如果要应用一些防火墙规则, 必须禁用此项, 否则 iptables 不会工作.
[ ]   Network packet filtering debugging (NEW)
Next, add the correct options in the section IP: Netfilter Configuration. Then, compile and install the kernel. If you want to do it the Debian way, install kernel-package and run make-kpkg to create a custom Debian kernel package you can install on your server using dpkg. Once the new kernel is compiled and installed, install the bridge-utils package.
完成这些步骤后, 您就可以完成网桥的配置了. 下边的部分给出两种不通的配置网桥的可用方法, 都给出了假定的网络映射和必要的命令.

B.4.1. 提供 NAT 和防火墙能力的网桥

这个配置使用桥梁作为带有网络地址转发(NAT)功能的防火墙, 用于保护服务器和内部局域网客户端. 下边给出的是网络布局图::
Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)
                                          |
                                          |
                                          |---- WWW Server (62.3.3.27 gw 62.3.3.25)
                                          |
                                          |
                                         LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)
#-#-#-#-# zh-CN_3.1/appendix.sgml:492 #-#-#-#-# 下边给出配置这个网桥的命令. #-#-#-#-# zh-CN_3.1/appendix.sgml:533 #-#-#-#-# 以下命令为配置网桥的过程.
# Create the interface br0
/usr/sbin/brctl addbr br0

# Add the Ethernet interface to use with the bridge
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1

# Start up the Ethernet interface
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0

# Configure the bridge ethernet
# The bridge will be correct and invisible ( transparent firewall ).
# It's hidden in a traceroute and you keep your real gateway on the 
# other computers. Now if you want you can config a gateway on your 
# bridge and choose it as your new gateway for the other computers.

/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31

# I have added this internal IP to create my NAT 
ip addr add 192.168.0.1/24 dev br0
/sbin/route add default gw 62.3.3.25

B.4.2. 提供防火墙能力的网桥

这种可能的配置用于系统用于为拥有公网IP地址的内外提供透明的防火墙.
Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)
                                        |
                                        |
                                        |---- WWW Server (62.3.3.28 gw 62.3.3.25)
                                        |
                                        |
                                        |---- Mail Server (62.3.3.27 gw 62.3.3.25)
#-#-#-#-# zh-CN_3.1/appendix.sgml:492 #-#-#-#-# 下边给出配置这个网桥的命令. #-#-#-#-# zh-CN_3.1/appendix.sgml:533 #-#-#-#-# 以下命令为配置网桥的过程.
# Create the interface br0
/usr/sbin/brctl addbr br0

# Add the Ethernet interface to use with the bridge
/usr/sbin/brctl addif br0 eth0
/usr/sbin/brctl addif br0 eth1

# Start up the Ethernet interface
/sbin/ifconfig eth0 0.0.0.0
/sbin/ifconfig eth1 0.0.0.0

# Configure the bridge Ethernet
# The bridge will be correct and invisible ( transparent firewall ).
# It's hidden in a traceroute and you keep your real gateway on the 
# other computers. Now if you want you can config a gateway on your
# bridge and choose it as your new gateway for the other computers.

/sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31
如果 traceroute Linux 邮件服务器, 您不会看到网桥. 如果想使用 ssh 访问网桥, 则必须拥有一个网关,或者首先联接到其它服务器, 如"邮件服务器". 然后通过内部网卡联接到网桥.

B.4.3. Basic IPtables rules

这是基本规则的范例, 可用于任何的设定.

例 B.1. Basic Iptables rules

iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Some funny rules but not in a classic Iptables sorry ...
# Limit ICMP 
# iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT
# Match string, a good simple method to block some VIRUS very quickly
# iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"

# Block all MySQL connection just to be sure
iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP

# Linux Mail Server Rules

# Allow FTP-DATA (20), FTP (21), SSH (22) 
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT

# Allow the Mail Server to connect to the outside
# Note: This is *not* needed for the previous connections 
# (remember: stateful filtering) and could be removed.
iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT

# WWW Server Rules

# Allow HTTP ( 80 ) connections with the WWW server
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT

# Allow HTTPS ( 443 ) connections with the WWW server
iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT

# Allow the WWW server to go out
# Note: This is *not* needed for the previous connections 
# (remember: stateful filtering) and could be removed.
iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT