iptables bridge (transparent firewall)
bridge.sh
#!/bin/sh
#
#/etc/init.d/bridge
RETVAL=0
start() {
action $"Starting bridging firewall:" true
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
brctl setfd br0 1
ifconfig br0 up
ifconfig eth0 up
ifconfig eth1 up
modprobe ip_conntrack
modprobe ip_conntrack_ftp
echo
}
stop() {
action $"Stopping bridging firewall:" true
ifconfig eth1 down
ifconfig eth0 down
ifconfig br0 down
brctl delif br0 eth1
brctl delif br0 eth0
brctl delbr br0
echo
}
restart() {
stop
start
}
reload() {
restart
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload|restart)
restart
;;
condrestart)
if [ -f /var/lock/subsys/bridge ]; then
restart
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $?
exit $RETVAL
bridge_firewall.sh
# allows connection tracking support, needed
modprobe ip_conntrack
modprobe ip_conntrack_ftp
iptables -P FORWARD DROP
# enables connection tracking, needed
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# allows all outbound traffic
iptables -A FORWARD -p ALL -s 192.168.1.0/24 -d 0/0 -j ACCEPT
# allow inbound services
iptables -A FORWARD -p TCP -s 0/0 -d 192.168.1.2 --dport 80 -j ACCEPT
|