首頁 » wrt

Transparent Firewall

由 datahunter 在 三, 04/04/2012 - 00:29 發表

最後更新: 2022-01-24

介紹

Transparent Firewall (透明防火牆) 比 NAT Firewall 有不變動原本的網路架構的好處,

因為使用者不知到安了它, 亦即是做到 plug and play.

P.S. Firewall 的用圖

  • 記錄存取
  • 網路隔離

網絡接駁方式:

Internet --->  | eth0.1 <---> eth0.2 |  ---> (Wan IP)Server
               |       Firewall      |
                          |
Remote Control  ------  eth1

NIC

  • eth0.x  # Router 的 Lan Port
  • eth1     # Router 的 Wan Port

目錄

 

Config File 設定

 

網絡介面設定:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'fw'
        option type 'bridge'
        option ifname 'eth0.1 eth0.2'
        option proto 'static'
        option ipaddr '192.168.123.188'
        option netmask '255.255.255.0'

config interface 'admin'          # 用來管理此 firewall
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.254.1'
        option netmask '255.255.255.0'

##################
# 把 lan port 介開
##################
config switch
        option name 'eth0'
        option reset '1'
        option enable_vlan '1'

# option ports '0t 1 2 3 4'

config switch_vlan
        option device 'eth0'
        option vlan '1'
        option ports '0t 1'

config switch_vlan
        option device 'eth0'
        option vlan '2'
        option ports '0t 2'

################
# default route
################
config route
        option interface 'fw'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '192.168.123.1'
        option metric '10'

 

Firewall 設定:

首先要把 FORWARD 的 default policy設定為 REJECTDROP

config defaults
        option syn_flood '1'
        option drop_invalid '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'fw'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'admin'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config include
        option path '/etc/firewall.user'

 

System 設定:

net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=600
net.netfilter.nf_conntrack_tcp_timeout_established=600

# Enable bridge firewalling  <-- 關鍵設定來
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

 

Transparent Firewall 設定:

LOCALIP=192.168.123.188
ADMINIP=192.168.123.21
SERVERIP=192.168.123.177

# Server Outgoing
iptables -A forwarding_fw -s $SERVERIP -j ACCEPT
#iptables -A forwarding_fw -i eth0 -j ACCEPT           <-- 成功
#iptables -A forwarding_fw -i eth0.1 -j ACCEPT         <-- 唔 work
#iptables -A forwarding_fw -o eth1 -i eth0 -j ACCEPT   <-- 唔 work

# HTTP / HTTPS
iptables -A forwarding_fw -p tcp --dport  80 -d $SERVERIP -j ACCEPT
iptables -A forwarding_fw -p tcp --dport 443 -d $SERVERIP -j ACCEPT

# SSH
iptables -A forwarding_fw -p tcp -s $ADMINIP --dport 22 -d $SERVERIP -j ACCEPT

# DNS(comment out as server allow outgoing)
#iptables -A forwarding_fw -p tcp -s $SERVERIP --dport 53 -j ACCEPT
#iptables -A forwarding_fw -p udp -s $SERVERIP --dport 53 -j ACCEPT

# DHCP
iptables -A forwarding_fw -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A forwarding_fw -p udp --sport 67 --dport 68 -j ACCEPT

# Limited Ping
iptables -A forwarding_fw  -p icmp -m limit -m icmp \
--limit 6/m --limit-burst 6 --icmp-type 8 -d $SERVERIP -j ACCEPT

# Testing Speed
iptables -A forwarding_fw -p tcp -d $SERVERIP --dport 5001 -j ACCEPT

 

效能測試 Report

 

Firewall(740N_v4) speed test:

[  4] local 192.168.123.10 port 53198 connected with 192.168.123.177 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 5.0 sec  56.3 MBytes  94.4 Mbits/sec
[  4]  5.0-10.0 sec  56.9 MBytes  95.4 Mbits/sec
[  4] 10.0-15.0 sec  56.2 MBytes  94.3 Mbits/sec

Firewall(740N_v4) cpu usage:

01:06:25        CPU     %user     %nice   %system   %iowait    %steal     %idle
01:06:27        all      0.00      0.00      0.50      0.00      0.00     99.50
01:06:29        all      1.00      0.00     36.00      0.00      0.00     63.00
01:06:31        all      0.50      0.00     53.50      0.00      0.00     46.00
01:06:33        all      0.00      0.00     51.00      0.00      0.00     49.00
01:06:35        all      0.00      0.00     51.00      0.00      0.00     49.00

結論

Rules    Speed:            CPU

8          100Mbit/s        50%

 

指令設定

 

用 command 實現 (不保存設定)

 

# 必須要 0.0.0.0

ifconfig eth0 0.0.0.0

ifconfig eth1 0.0.0.0

# 建立 bright

brctl addbr bri0

brctl addif bri0 eth0

brctl addif bri0 eth1

# 設備 IP

ifconfig bri0 192.168.1.1 netmask 255.255.255.0 up

# 開啟 L2 filter

sysctl -w net.ipv4.ip_forward=1

sysctl -w net.bridge.bridge-nf-call-arptables=1

sysctl -w net.bridge.bridge-nf-call-iptables=1

# iptable rule

iptables –P FORWARD DROP

iptables –A FORWARD –m state –state RELATED,ESTABLISHED –j ACCEPT

# allow inbound services Example

iptables -A FORWARD --in-interface eth0 --out-interface eth1 \
-p tcp -d 192.168.1.254 --destination-port smtp -j ACCEPT

...

# drop everything else
iptables -A FORWARD --in-interface eth0 --out-interface eth1 \
-d \! 192.168.1.5 -j REJECT

 

 

 

 

 

 

»

Creative Commons license icon Creative Commons license icon