[ 上一篇 ] [ 目录 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ 下一篇 ]

Debian 手册安全
附录 D - 设置桥接防火墙

此信息由 Francois Bayart 贡献，旨在帮助用户使用 2.4.x 内核和 iptables 设置 Linux 桥接/防火墙。内核补丁不再需要，因为该代码已成为 Linux 内核发行版的标准部分。

要配置内核以获得必要的支持，请运行 make menuconfig 或 make xconfig。在 网络选项 部分，启用以下选项

     [*] Network packet filtering (replaces ipchains)
     [ ]   Network packet filtering debugging (NEW)
     <*> 802.1d Ethernet Bridging
     [*]   netfilter (firewalling) support (NEW)

注意：如果您想应用一些防火墙规则，则必须禁用此选项，否则 iptables 将无法工作

     [ ]   Network packet filtering debugging (NEW)

接下来，在 IP: Netfilter 配置 部分添加正确的选项。然后，编译并安装内核。如果您想以 Debian 方式 进行操作，请安装 kernel-package 并运行 make-kpkg 以创建一个自定义的 Debian 内核包，您可以使用 dpkg 在服务器上安装。一旦新的内核编译并安装完成，安装 bridge-utils 包。

一旦完成这些步骤，您就可以完成桥接的配置。下一节介绍桥接的两种不同的可能配置，每种配置都包含一个假设的网络地图和必要的命令。

D.1 提供 NAT 和防火墙功能的桥接

第一种配置使用桥接作为具有网络地址转换 (NAT) 的防火墙，以保护服务器和内部 LAN 客户端。网络配置图如下所示

     Internet ---- router ( 62.3.3.25 ) ---- bridge (62.3.3.26 gw 62.3.3.25 / 192.168.0.1)
                                               |
                                               |
                                               |---- WWW Server (62.3.3.27 gw 62.3.3.25)
                                               |
                                               |
                                              LAN --- Zipowz (192.168.0.2 gw 192.168.0.1)

以下命令显示了如何配置此桥接。

     # Create the interface br0
     /usr/sbin/brctl addbr br0
     
     # Add the Ethernet interface to use with the bridge
     /usr/sbin/brctl addif br0 eth0
     /usr/sbin/brctl addif br0 eth1
     
     # Start up the Ethernet interface
     /sbin/ifconfig eth0 0.0.0.0
     /sbin/ifconfig eth1 0.0.0.0
     
     # Configure the bridge ethernet
     # The bridge will be correct and invisible ( transparent firewall ).
     # It's hidden in a traceroute and you keep your real gateway on the 
     # other computers. Now if you want you can config a gateway on your 
     # bridge and choose it as your new gateway for the other computers.
     
     /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31
     
     # I have added this internal IP to create my NAT 
     ip addr add 192.168.0.1/24 dev br0
     /sbin/route add default gw 62.3.3.25

D.2 提供防火墙功能的桥接

第二种可能的配置是一个系统，该系统设置为具有公共 IP 地址空间的 LAN 的透明防火墙。

     Internet ---- router (62.3.3.25) ---- bridge (62.3.3.26)
                                             |
                                             |
                                             |---- WWW Server (62.3.3.28 gw 62.3.3.25)
                                             |
                                             |
                                             |---- Mail Server (62.3.3.27 gw 62.3.3.25)

以下命令显示了如何配置此桥接。

     # Create the interface br0
     /usr/sbin/brctl addbr br0
     
     # Add the Ethernet interface to use with the bridge
     /usr/sbin/brctl addif br0 eth0
     /usr/sbin/brctl addif br0 eth1
     
     # Start up the Ethernet interface
     /sbin/ifconfig eth0 0.0.0.0
     /sbin/ifconfig eth1 0.0.0.0
     
     # Configure the bridge Ethernet
     # The bridge will be correct and invisible ( transparent firewall ).
     # It's hidden in a traceroute and you keep your real gateway on the 
     # other computers. Now if you want you can config a gateway on your
     # bridge and choose it as your new gateway for the other computers.
     
     /sbin/ifconfig br0 62.3.3.26 netmask 255.255.255.248 broadcast 62.3.3.31

如果您 traceroute Linux 邮件服务器，您将看不到桥接。如果您想通过 ssh 访问桥接，您必须有一个网关，或者您必须首先连接到另一台服务器，例如“邮件服务器”，然后通过内部网卡连接到桥接。

D.3 基本 IPtables 规则

这是可用于任一设置的基本规则的示例。

     iptables -F FORWARD
     iptables -P FORWARD DROP
     iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
     iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
     
     # Some funny rules but not in a classic Iptables sorry ...
     # Limit ICMP 
     # iptables -A FORWARD -p icmp -m limit --limit 4/s -j ACCEPT
     # Match string, a good simple method to block some VIRUS very quickly
     # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 -m string --string "cmd.exe"
     
     # Block all MySQL connection just to be sure
     iptables -A FORWARD -p tcp -s 0/0 -d 62.3.3.0/24 --dport 3306 -j DROP
     
     # Linux Mail Server Rules
     
     # Allow FTP-DATA (20), FTP (21), SSH (22) 
     iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.27/32 --dport 20:22 -j ACCEPT
     
     # Allow the Mail Server to connect to the outside
     # Note: This is *not* needed for the previous connections 
     # (remember: stateful filtering) and could be removed.
     iptables -A FORWARD -p tcp -s 62.3.3.27/32 -d 0/0 -j ACCEPT
     
     # WWW Server Rules
     
     # Allow HTTP ( 80 ) connections with the WWW server
     iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 80 -j ACCEPT
     
     # Allow HTTPS ( 443 ) connections with the WWW server
     iptables -A FORWARD -p tcp -s 0.0.0.0/0 -d 62.3.3.28/32 --dport 443 -j ACCEPT
     
     # Allow the WWW server to go out
     # Note: This is *not* needed for the previous connections 
     # (remember: stateful filtering) and could be removed.
     iptables -A FORWARD -p tcp -s 62.3.3.28/32 -d 0/0 -j ACCEPT

[ 上一篇 ] [ 目录 ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ G ] [ H ] [ 下一篇 ]

Debian 手册安全