作者 主題: 陳年古文分享-- bridging firewall  (閱讀 17610 次)

0 會員 與 1 訪客 正在閱讀本文。

SaPow

  • 榮譽博士
  • 鑽研的研究生
  • *****
  • 文章數: 509
    • 檢視個人資料
陳年古文分享-- bridging firewall
« 於: 2005-04-13 11:54 »
因看到  http://phorum.study-area.org/viewtopic.php?t=30969  這一篇
所以拿出古文分享,供參考

SaPow

[ bridge firewall ]
1. 下載 http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.8-against-2.4.19.diff
2. 下載 http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.gz
3. 下載 http://bridge.sourceforge.net/bridge-utils/bridge-utils-0.9.6.tar.gz
4. tar zxf linux-2.4.20.tar.gz –C /usr/src/
5. mv bridge-nf-0.0.8-against-2.4.19.diff /usr/src/linux-2.4.20/
6. cd /usr/src/linux-2.4.20/ ; patch –p1 < bridge-nf-0.0.8-against-2.4.19.diff
7. make mrproper ; make menuconfig 以下為必要選項
   
代碼: [選擇]
  a.Code maturity level options
[*] Prompt for development and/or incomplete code/drivers
b.Loadable module support
[*] Enable loadable module support
[*]   Set version information on all module symbols
[*]   Kernel module loader
c. Networking options
[*] Network packet filtering (replaces ipchains)
[*]   Network packet filtering debugging
IP: Netfilter Configuration
<*> 802.1d Ethernet Bridging

8.  make dep clean bzImage modules modules_install ; depmod –a
9.  modify your /boot/grub/grub.conf to boot
10. tar xvzf bridge-utils-0.9.6.tar.gz ; cd bridge-utils-0.9.6
11. ./configure –-prefix=/usr/local/brctl && make && make install
12. create /root/bridge.sh
代碼: [選擇]
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
BRCTL="/usr/local/brctl/sbin/brctl"
$BRCTL addbr br0
$BRCTL stp br0 off
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1
ifconfig eth0 down
ifconfig eth1 down
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
ifconfig br0 192.168.1.252 netmask 255.255.255.0  # 註一
route add -net 0.0.0.0 gw 192.168.1.252 netmask 0.0.0.0 br0 # 註二

13. chkconfig –-level 35 network off ; echo “/root/bridge.sh” >> /etc/rc.d/rc.local
14. reboot
15. client< --- > eth1[bridge host] eth0 < --- > router or ATU-R < --- > internet
16. iptables –P FORWARD DROP 此時client端將無法與router連接
17. iptables –P FORWARD ACCEPT 此時client端將可以經由bridge host與router連接
18. 註一:若不想bind IP,將此行設定改為 ifconfig br0 0.0.0.0 ,不管有無bind IP,都不會影響   bridge的功能
19. 註二:若不想bind IP,將此行mark起來不要執行

[ Qos ]
將經過的封包mark起來,交給cbq.init處理
代碼: [選擇]
$iptables -t mangle -A POSTROUTING -p tcp -d 1.2.3.4 -j MARK --set-mark 1004
$iptables -t mangle -A POSTROUTING -p tcp -s 1.2.3.4 -j MARK --set-mark 2004


下載
代碼: [選擇]
$ vi cbq-1002.root.eth1
DEVICE=eth1,100Mbit,10Mbit
RATE=2048Kbps 定義速率
WEIGHT=200Kbit 比重
PRIO=4 優先順序
ISOLATED=no =yes不允許子rule繼承頻寬; =no是允許
BOUNDED=no =yes頻寬固定且不借用上層父頻寬; =no就是會借用
LEAF=sfq 當BOUNDED=no時需指定

$ vi cbq-1004.www.eth1
EVICE=eth1,100Mbit,10Mbit
RATE=128Kbps
WEIGHT=10Kbit
PRIO=5
PARENT=1002 父頻寬定義檔
BOUNDED=no
LEAF=sfq
MARK=1004

上傳
代碼: [選擇]
$ vi cbq-2002.root.eth0
DEVICE=eth0,100Mbit,10Mbit
RATE=2048Kbps
WEIGHT=200Kbit
PRIO=4
ISOLATED=no
BOUNDED=no
LEAF=sfq

$ vi cbq-2004.www.eth0
EVICE=eth0,100Mbit,10Mbit
RATE=128Kbps
WEIGHT=10Kbit
PRIO=5
PARENT=2002
BOUNDED=no
LEAF=sfq
MARK=2004

$ ./cbq.init start
就會讓1.2.3.4上傳下載限制在128K裡,但因為BOUNDED=no所以還是會借用到父頻寬,若要測試固定頻寬請改為BOUNDED=yes測試即可,或將父頻寬

ISOLATED=yes設定成不允許子rule繼承也可以

[firewall rule]
1. 設定讓bridge的LAN端可以穿透去 [使用] 外部的哪些服務
iptables -P FORWARD DROP
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -p udp -s 1.2.3.4 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -d 1.2.3.4 --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport -s 1.2.3.4 –dport 20,21,22,25,80,110,113,443,1863,3389,9999 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport -d 1.2.3.4 --sport 20,21,22,25,80,110,113,443,1863,3389,9999 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

2. 設定讓bridge的LAN端可以穿透去 [提供] 外部的哪些服務
iptables -A FORWARD -p udp -d 1.2.3.4 --dport 53 -j ACCEPT
iptables -A FORWARD -p udp -s 1.2.3.4 --sport 53 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport -d 1.2.3.4 --dport 20,21,22,25,53,80,110,113,443 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport -s 1.2.3.4 --sport 20,21,22,25,53,80,110,113,443 -j ACCEPT

kenduest

  • 酷!學園 學長們
  • 俺是博士!
  • *****
  • 文章數: 3675
    • 檢視個人資料
    • http://kenduest.sayya.org
Re: 陳年古文分享-- bridging firewall
« 回覆 #1 於: 2005-04-13 12:32 »
我補充幾點:

1. kernel 2.6 的版本已經把 bridge code 正式納入了,包含與 netfilter 整合的 firewall 也已經納入,所以不再需要任何 kernel patch。

2. 在 bridge firewall 架構下,使用 -i 與 -o 針對特定介面過濾可能無法明確判定實際位置。所以若是要對指定的 interface 過濾請搭配使用 physdev 的 match exntension 來解決。

3. 目前在 fedora linux 2 與 mandrake linux 10.0 等版本都已經正式支援 bridge network 的網路組態設定的 script 配置,要設定每次開機啟動 bridge 介面。

網路 script 組態設定方式:

/etc/sysconfig/network-scripts/ifcfg-br0:

代碼: [選擇]
DEVICE=br0
TYPE=Bridge
IPADDR=192.168.1.254
NETMASK=255.255.255.0
ONBOOT=yes


/etc/sysconfig/network-scripts/ifcfg-eth0:

代碼: [選擇]
DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes


/etc/sysconfig/network-scripts/ifcfg-eth1:

代碼: [選擇]
DEVICE=eth1
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes


==
I am kenduest - 小州

my website: http://kenduest.sayya.org/

SaPow

  • 榮譽博士
  • 鑽研的研究生
  • *****
  • 文章數: 509
    • 檢視個人資料
陳年古文分享-- bridging firewall
« 回覆 #2 於: 2005-04-13 13:02 »
[code]1. kernel 2.6 的版本已經把 bridge code 正式納入了,

嗯嗯!!因為這是古文嘛~~ :D

[code]2. 在 bridge firewall

所以範例中都沒有使用到 -i 及 -o  ,僅用 FORWARD加 -s 及 -d 來判斷


最後謝謝洲爺的指導~感恩!! :P  :P  :P

大頭目

  • 憂鬱的高中生
  • ***
  • 文章數: 139
    • 檢視個人資料
陳年古文分享-- bridging firewall
« 回覆 #3 於: 2005-04-19 14:35 »
為何無法管制上網

使用
iptables -P FORWARD DROP

kenduest

  • 酷!學園 學長們
  • 俺是博士!
  • *****
  • 文章數: 3675
    • 檢視個人資料
    • http://kenduest.sayya.org
陳年古文分享-- bridging firewall
« 回覆 #4 於: 2005-04-19 14:42 »
引述: "kaimin"
為何無法管制上網
使用
iptables -P FORWARD DROP


您的 kernel 版本為何? 有沒有任何 kernel patch?

bridge code 搭配 netfilter 正式於 kernel 2.6 納入,kernel 2.4 系列都是需要另外自己 patch 過的。

==
I am kenduest - 小州

my website: http://kenduest.sayya.org/

大頭目

  • 憂鬱的高中生
  • ***
  • 文章數: 139
    • 檢視個人資料
Re: 陳年古文分享-- bridging firewall
« 回覆 #5 於: 2005-04-19 22:15 »
引述: "SaPow"


[ bridge firewall ]
1. 下載 http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.8-against-2.4.19.diff
2. 下載 http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.gz
3. 下載 http://bridge.sourceforge.net/bridge-utils/bridge-utils-0.9.6.tar.gz
4. tar zxf linux-2.4.20.tar.gz –C /usr/src/
5. mv bridge-nf-0.0.8-against-2.4.19.diff /usr/src/linux-2.4.20/
6. cd /usr/src/linux-2.4.20/ ; patch –p1 < bridge-nf-0.0.8-against-2.4.19.diff
7. make mrproper ; make menuconfig 以下為必要選項
   
代碼: [選擇]
  a.Code maturity level options
[*] Prompt for development and/or incomplete code/drivers
b.Loadable module support
[*] Enable loadable module support
[*]   Set version information on all module symbols
[*]   Kernel module loader
c. Networking options
[*] Network packet filtering (replaces ipchains)
[*]   Network packet filtering debugging
IP: Netfilter Configuration
<*> 802.1d Ethernet Bridging

8.  make dep clean bzImage modules modules_install ; depmod –a


小弟的核心版本是 2.4.18-3
依上面的修補方法
執行下面的補件

cd /usr/src/linux-2.4.20/
zcat ../bridge-nf-0.0.10-against-2.4.20.diff.gz | patch -p1
make mrproper;make menuconfig
make dep clean bzImage modules modules_install

卻無法將核心編譯完成,出現下面的錯誤!
出了什麼問題呢?????

br_netfilter.c: In function `br_nf_pre_routing_finish_bridge':
br_netfilter.c:134: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c:134: (Each undeclared identifier is reported only once
br_netfilter.c:134: for each function it appears in.)
br_netfilter.c: In function `br_nf_pre_routing_finish':
br_netfilter.c:152: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c:157: dereferencing pointer to incomplete type
br_netfilter.c:181: `BRNF_BRIDGED_DNAT' undeclared (first use in this function)
br_netfilter.c:183: sizeof applied to an incomplete type
br_netfilter.c:183: dereferencing pointer to incomplete type
br_netfilter.c:183: sizeof applied to an incomplete type
br_netfilter.c:183: dereferencing pointer to incomplete type
br_netfilter.c:183: sizeof applied to an incomplete type
br_netfilter.c:183: sizeof applied to an incomplete type
br_netfilter.c:183: dereferencing pointer to incomplete type
br_netfilter.c:183: sizeof applied to an incomplete type
br_netfilter.c:183: dereferencing pointer to incomplete type
br_netfilter.c:183: sizeof applied to an incomplete type
br_netfilter.c:198: sizeof applied to an incomplete type
br_netfilter.c:198: dereferencing pointer to incomplete type
br_netfilter.c:198: sizeof applied to an incomplete type
br_netfilter.c:198: dereferencing pointer to incomplete type
br_netfilter.c:198: sizeof applied to an incomplete type
br_netfilter.c:198: sizeof applied to an incomplete type
br_netfilter.c:198: dereferencing pointer to incomplete type
br_netfilter.c:198: sizeof applied to an incomplete type
br_netfilter.c:198: dereferencing pointer to incomplete type
br_netfilter.c:198: sizeof applied to an incomplete type
br_netfilter.c:201: `br_handle_frame_finish' undeclared (first use in this function)
br_netfilter.c: In function `br_nf_pre_routing':
br_netfilter.c:254: warning: implicit declaration of function `nf_bridge_alloc'
br_netfilter.c:254: warning: assignment makes pointer from integer without a cast
br_netfilter.c:259: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c:264: dereferencing pointer to incomplete type
br_netfilter.c: In function `br_nf_forward_finish':
br_netfilter.c:313: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c: In function `br_nf_forward':
br_netfilter.c:349: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c: In function `br_nf_local_out_finish':
br_netfilter.c:369: `NF_BR_PRI_FIRST' undeclared (first use in this function)
br_netfilter.c: In function `br_nf_local_out':
br_netfilter.c:424: `BRNF_BRIDGED_DNAT' undeclared (first use in this function)
br_netfilter.c:427: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c:440: `BRNF_DONT_TAKE_PARENT' undeclared (first use in this function)
br_netfilter.c: In function `br_nf_post_routing':
br_netfilter.c:501: `BRNF_PKT_TYPE' undeclared (first use in this function)
br_netfilter.c: In function `ipv4_sabotage_out':
br_netfilter.c:558: `BRNF_DONT_TAKE_PARENT' undeclared (first use in this function)
br_netfilter.c: At top level:
br_netfilter.c:574: `NF_BR_PRI_BRNF' undeclared here (not in a function)
br_netfilter.c:574: initializer element is not constant
br_netfilter.c:574: (near initialization for `br_nf_ops[0].priority')
br_netfilter.c:575: `NF_BR_PRI_BRNF' undeclared here (not in a function)
br_netfilter.c:575: initializer element is not constant
br_netfilter.c:575: (near initialization for `br_nf_ops[1].priority')
br_netfilter.c:576: `NF_BR_PRI_BRNF' undeclared here (not in a function)
br_netfilter.c:576: initializer element is not constant
br_netfilter.c:576: (near initialization for `br_nf_ops[2].priority')
br_netfilter.c:577: `NF_BR_PRI_FIRST' undeclared here (not in a function)
br_netfilter.c:577: initializer element is not constant
br_netfilter.c:577: (near initialization for `br_nf_ops[3].priority')
br_netfilter.c:578: `NF_BR_PRI_LAST' undeclared here (not in a function)
br_netfilter.c:578: initializer element is not constant
br_netfilter.c:578: (near initialization for `br_nf_ops[4].priority')
make[3]: *** [br_netfilter.o] Error 1
make[3]: Leaving directory `/usr/src/linux-2.4.20/net/bridge'
make[2]: *** [first_rule] Error 2
make[2]: Leaving directory `/usr/src/linux-2.4.20/net/bridge'
make[1]: *** [_subdir_bridge] Error 2
make[1]: Leaving directory `/usr/src/linux-2.4.20/net'
make: *** [_dir_net] Error 2

大頭目

  • 憂鬱的高中生
  • ***
  • 文章數: 139
    • 檢視個人資料
陳年古文分享-- bridging firewall
« 回覆 #6 於: 2005-04-21 17:32 »
參考文件:
http://phorum.study-area.org/viewtopic.php?t=25229&highlight=%BDs%C4%B6%AE%D6%A4%DF
http://phorum.study-area.org/viewtopic.php?t=23895&highlight=bridge
http://phorum.study-area.org/viewtopic.php?t=31046

後來小弟綜合上面三篇的做法,實作如下:(成功了!!)

===============================================

架設後的網路架構如下--
(最好用的地方是,架設完後,內部電腦的IP設定都不用改耶!)

                        254
                   253 ─Router ─internet
                   防火牆
內部電腦──┬ Switch - Bridge Firewall - 252
內部電腦──┤      251
內部電腦──┘      (遠端登入控管用,亦可不bind IP)
(1~250)

Router :163.26.xxx.254
防火牆:163.26.xxx.253(此Port連Router)
    163.26.xxx.252(此Port連Bridge Firewall主機)
Bridge :163.26.xxx.251
內部所有電腦:163.23.xxx.1~163.23.xxx.250

小弟的準備--

硬體設備:
備有2張網卡且已安裝 Linux(redhat 7.3) 的一般主機1部
Linux 核心版本:2.4.18-3

小弟準備的軟體套件:
http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.25.tar.gz
http://nchc.dl.sourceforge.net/sourceforge/ebtables/ebtables-brnf-5_vs_2.4.25.diff.gz
http://nchc.dl.sourceforge.net/sourceforge/bridge/bridge-utils-1.0.6.tar.gz

開始安裝--

1)首先先升級並修改核心(不要怕,這是一定要的啦!我也是第1次哦!)
(據網路上前輩們的說明,2.6 版本以上的核心,已內建 Bridge 功能,只要啟動即可)

#cd /usr/src
#wget http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.25.tar.gz
#wget http://nchc.dl.sourceforge.net/sourceforge/ebtables/ebtables-brnf-5_vs_2.4.25.diff.gz
#tar xzvf linux-2.4.25.tar.gz
#cd linux-2.4.25
#zcat ../ebtables-brnf-5_vs_2.4.25.diff.gz | patch -p1
#make mrproper;make menuconfig
以下為必選
 a.Code maturity level options
  
  • Prompt for development and/or incomplete code/drivers

 b.Loadable module support
  
  • Enable loadable module support

  
  • Set version information on all module symbols

  
  • Kernel module loader

 c. Networking options
  
  • Network packet filtering (replaces ipchains)

  
  • Network packet filtering debugging

  IP: Netfilter Configuration (此項內全選)
  <*> 802.1d Ethernet Bridging
  <*> Bridge: ebtables (NEW) (及其子項目全選)

#make dep clean bzImage modules modules_install;
#depmod -a
#make install
#mkinitrd -f /boot/initrd-2.4.25.img 2.4.25
#vi /boot/grub/grub.conf
將 default 改成 0 ,存檔離開

#sync;sync;sync;reboot(願佛祖保佑你)

2)安裝 Bridge 工具套件
(小弟順便學了一下如何自製 rpm 套件)

#cd /usr/src
#wget http://nchc.dl.sourceforge.net/sourceforge/bridge/bridge-utils-1.0.6.tar.gz
#tar zxvf bridge-utils-1.0.6.tar.gz
#vi bridge-utils-1.0.6/bridge-utils.spec.in
將其中的
Name: @PACKAGE@ 改成 Name: bridge-utils
Version: @VERSION@ 改成 Version: 1.0.6

#cp bridge-utils-1.0.6/bridge-utils.spec.in /usr/src/redhat/SPECS/
#cp bridge-utils-1.0.6.tar.gz /usr/src/redhat/SOURCES/
#rpmbuild -bb /usr/src/redhat/SPECS/bridge-utils.spec
rpm套件製出後,會放在 /usr/src/redhat/RPMS/i386 中

#rpm -ivh /usr/src/redhat/RPMS/i386/bridge-utils-*
請先用 rpm -q bridge-utils 檢查,是否有舊版,
如果有,請將上面 -ivh 改為 -Uvh

#vi /root/bridge.sh
內容如下:
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
BRCTL="/usr/sbin/brctl"
$BRCTL addbr br0
$BRCTL stp br0 off
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1
ifconfig eth0 down
ifconfig eth1 down
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
ifconfig br0 163.26.xxx.251 netmask 255.255.255.0 # 註一
route add default gw 163.26.xxx.251 # 註二

註一:若不想 bind IP,將此行設定改為 ifconfig br0 0.0.0.0 up,不管有無 bind IP,都不會影響 Bridge 的功能
註二:若不想 bind IP,此行一並不執行

興奮的時刻到了.....^_^

控管全校上網行為--

※基本行為(全封或全放)
1)管制上線
iptables -P FORWARD DROP

2)開放上線
iptables -P FORWARD ACCEPT

感謝,netman , Sapow , 小徒兒 三位前輩!

peteryang

  • 憂鬱的高中生
  • ***
  • 文章數: 105
    • 檢視個人資料
陳年古文分享-- bridging firewall
« 回覆 #7 於: 2005-11-11 15:01 »
各位先進:
不知道這篇回覆是不恰當:oops: 若不恰當,煩請各位先進原諒

首先小弟參考了這篇文章,架了bridge在FC3,小弟是在Cisco 2950上用Vlan來切,將對外及內部切成二個vlan,當小弟在FC3把bridge打開時,會發生Cisco 2950自動把用到bridge的兩個port給關掉,不知這個是不是spanning-tree發生,導致cisco將他關掉,想請問各位先進,若是spanning-tree,那是否有方法可以在cisco上設定讓他判定這個是正常的(除了把spanning-tree關掉),還是cisco判斷是別種原因造成的,所以關掉這二個port,煩請各位先進不吝指教,謝謝