On Tue, Apr 17, 2012 at 6:54 PM, Benjamin Hackl <b.hackl@xxxxxxxxxxx> wrote: > On Tue, 17 Apr 2012 16:07:36 +0600 > Arif Hossain <aftnix@xxxxxxxxx> wrote: > >> I think i've failed to describe what i'm trying to do. So i'm >> describing it again. >> >> The client will send request to the BOX2's IP. BOX1's IP used only for >> management purposes. > > You're looking for a bridging firewall, it probably should look like this: > > > +--------+ +---------- internet line > | box1 | | > | | | +--------+ > | eth2---bad-+ | box2 | > | |br| | | | > | eth1--good-------eth1 | > | | | | > | eth0------+------eth0 | > | | | | | > +--------+ | +--------+ > | > lan > > eth0 is the (optional) internal management network > > you'll need the following configurations on box1: > > > In /etc/sysconfig/network-scripts/ifcfg-br0 > DEVICE=br0 > TYPE=Bridge > ONBOOT=yes > DELAY=0 > BOOTPROTO=none > > In /etc/sysconfig/network-scripts/ifcfg-eth1 > DEVICE=eth1 > HWADDR=<MAC> > ONBOOT=yes > BRIDGE=br0 > > In /etc/sysconfig/network-scripts/ifcfg-eth2 > DEVICE=eth2 > HWADDR=<MAC> > ONBOOT=yes > BRIDGE=br0 > > > Restart your networking: > service network restart > > Verify the bridge is set up: > brctl show > > You probably want to netfilter your br0 device, I recommend shorewall: > > Here is a short example. I'll put eth1 in zone good and eth2 in zone > bad. eth0 will be in zone loc. I will allow all outgoing traffic from > box2 to the internet and filter all incoming except for https and icmp > ping. This example requires shorewall > 4.0. This example is for ipv4 > only, ipv6 requires shorewall6. > > > In /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > > # Your isp > inet br0 - bridge,proxyarp,routefilter > bad br0:eth2 - physical=eth2 > good br0:eth1 - physical=eth1 > > # local network > loc eth0 detect routeback > > > In /etc/shorewall/zones > #ZONE TYPE > fw firewall > loc ipv4 > inet ipv4 > bad:inet bport > good:inet bport > #END > > In /etc/shorewall/policy > #SOURCE DEST POLICY LOG > > # allow local to firewall and vice versa > loc fw ACCEPT > fw loc ACCEPT > > # the next line allows all outgoing (from good to bad) traffic. > # you can also reject outgoing traffic and set single allow rules in > # the file /etc/shorewall/rules (see below) > good bad ACCEPT > > # drop all other > bad all DROP info > all all DROP info > #END > > In /etc/shorewall/rules > #ACTION SOURCE DEST PROTO DEST > # e.g. allow ping and https only for public ip (1.2.3.4) > ACCEPT bad good:1.2.3.4 tcp https > ACCEPT bad good:1.2.3.4 icmp 8 > #END > thanks for the reply. i will try your solution and post results _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos