Transparent Firewall

介紹:

Transparent Firewall 比 NAT Firewall 有不變動原本的網路架構的好處,

而且安了的話亦沒有人知, 亦即是做到 plug and play.

 

P.S. Firewall 的用圖

  • 記錄存取
  • 網路隔離開

 

網絡接駁方式:

Internet ------>  | eth0 <---> eth1 |  -------> Server(192.168.1.254)
                  | Firewall        |

 


 

完整設定

 

介面設定:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'fw'
        option type 'bridge'
        option ifname 'eth1 eth0.1'
        option proto 'static'
        option ipaddr '192.168.123.188'
        option netmask '255.255.255.0'

config interface 'admin'                              # 用來管理此 firewall
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.254.1'
        option netmask '255.255.255.0'

###################################################
# 把 lan port 介開
###################################################

config switch
        option name 'eth0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'eth0'
        option vlan '1'
        option ports '0t 2 3 4'

config switch_vlan
        option device 'eth0'
        option vlan '2'
        option ports '0t 1'

###################################################
# default route, 沒有都可
###################################################
config route
        option interface 'fw'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.123.1'
        option metric '10'

 

Firewall 設定:

 

首先要把 FORWARD 的 default policy設定為 REJECTDROP

config defaults
        option syn_flood '1'
        option drop_invalid '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'admin'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config include
        option path '/etc/firewall.user'

 

System 設定:

 

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=600

net.netfilter.nf_conntrack_tcp_timeout_established=600

# Enable bridge firewalling  <-- 關鍵設定來
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

 

Transparent Firewall 設定:

LOCALIP=192.168.123.188
ADMINIP=192.168.123.21
SERVERIP=192.168.123.177

# Server Outgoing
iptables -A forwarding_fw -s $SERVERIP -j ACCEPT
#iptables -A forwarding_fw -i eth0 -j ACCEPT           <-- 成功
#iptables -A forwarding_fw -i eth0.1 -j ACCEPT         <-- 唔 work
#iptables -A forwarding_fw -o eth1 -i eth0 -j ACCEPT   <-- 唔 work

# HTTP / HTTPS
iptables -A forwarding_fw -p tcp --dport 80 -d $SERVERIP -j ACCEPT
iptables -A forwarding_fw -p tcp --dport 443 -d $SERVERIP -j ACCEPT

#SSH
iptables -A forwarding_fw -p tcp -s $ADMINIP --dport 22 -d $SERVERIP -j ACCEPT

# DNS(comment out as server allow outgoing)
#iptables -A forwarding_fw -p tcp -s $SERVERIP --dport 53 -j ACCEPT
#iptables -A forwarding_fw -p udp -s $SERVERIP --dport 53 -j ACCEPT

# DHCP
iptables -A forwarding_fw -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A forwarding_fw -p udp --sport 67 --dport 68 -j ACCEPT

# Limited Ping
iptables -A forwarding_fw  -p icmp -m limit -m icmp \
--limit 6/m --limit-burst 6 --icmp-type 8 -d $SERVERIP -j ACCEPT

# Testing Speed
iptables -A forwarding_fw -p tcp -d $SERVERIP --dport 5001 -j ACCEPT


 


 

效能測試 Report:

 

Firewall(740N_v4) speed test:

[  4] local 192.168.123.10 port 53198 connected with 192.168.123.177 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 5.0 sec  56.3 MBytes  94.4 Mbits/sec
[  4]  5.0-10.0 sec  56.9 MBytes  95.4 Mbits/sec
[  4] 10.0-15.0 sec  56.2 MBytes  94.3 Mbits/sec
[  4] 15.0-20.0 sec  56.2 MBytes  94.4 Mbits/sec
[  4] 20.0-25.0 sec  56.2 MBytes  94.2 Mbits/sec
[  4] 25.0-30.0 sec  56.4 MBytes  94.6 Mbits/sec
[  4] 30.0-35.0 sec  55.9 MBytes  93.7 Mbits/sec
[  4] 35.0-40.0 sec  55.9 MBytes  93.8 Mbits/sec
[  4] 40.0-45.0 sec  56.3 MBytes  94.5 Mbits/sec
[  4] 45.0-50.0 sec  56.2 MBytes  94.4 Mbits/sec
[  4] 50.0-55.0 sec  56.0 MBytes  94.0 Mbits/sec
[  4] 55.0-60.0 sec  56.1 MBytes  94.1 Mbits/sec
[  4] 60.0-65.0 sec  56.3 MBytes  94.5 Mbits/sec
[  4] 65.0-70.0 sec  56.1 MBytes  94.0 Mbits/sec

Firewall(740N_v4) cpu usage:

01:06:25        CPU     %user     %nice   %system   %iowait    %steal     %idle
01:06:27        all      0.00      0.00      0.50      0.00      0.00     99.50
01:06:29        all      1.00      0.00     36.00      0.00      0.00     63.00
01:06:31        all      0.50      0.00     53.50      0.00      0.00     46.00
01:06:33        all      0.00      0.00     51.00      0.00      0.00     49.00
01:06:35        all      0.00      0.00     51.00      0.00      0.00     49.00
01:06:37        all      0.00      0.00     58.21      0.00      0.00     41.79
01:06:39        all      1.50      0.00     52.00      0.00      0.00     46.50
01:06:41        all      0.00      0.00     52.50      0.00      0.00     47.50
01:06:44        all      0.50      0.00     53.00      0.00      0.00     46.50
01:06:46        all      1.00      0.00     55.50      0.00      0.00     43.50
01:06:48        all      0.00      0.00     49.50      0.00      0.00     50.50
01:06:50        all      1.00      0.00     54.00      0.00      0.00     45.00
01:06:52        all      0.50      0.00     49.50      0.00      0.00     50.00
01:06:54        all      0.00      0.00     52.50      0.00      0.00     47.50
01:06:56        all      0.50      0.00     52.00      0.00      0.00     47.50
01:06:58        all      1.00      0.00     51.50      0.00      0.00     47.50

 


 

指令

用 command 直接實現, 不保存設什

 

# 必須要 0.0.0.0

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0

# 建立 bright

brctl addbr bri0
brctl addif bri0 eth0
brctl addif bri0 eth1

# 設備 IP

ifconfig bri0 192.168.1.1 netmask 255.255.255.0 up

# 開啟 L2 filter

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.bridge.bridge-nf-call-arptables=1
sysctl -w net.bridge.bridge-nf-call-iptables=1

 

# iptable rule

iptables –P FORWARD DROP

iptables –A FORWARD –m state –state RELATED,ESTABLISHED –j ACCEPT

 

# allow inbound services Example
iptables -A FORWARD --in-interface eth0 --out-interface eth1 \
-p tcp -d 192.168.1.254 --destination-port smtp -j ACCEPT

 

.....................................................

 

# drop everything else
iptables -A FORWARD --in-interface eth0 --out-interface eth1 \
-d \! 192.168.1.5 -j REJECT