Install a bridged firewall (iptables) on CentOS

Installing a bridged firewall enables you to use external IPs (no NAT) for the equipment behind your firewall.

Here’s a rudimentary guide on how to do it on CentOS/RHEL based distro;

Requirements

A server with at least 2 NICs. One NIC connects to your uplink, the other NIC connects to a switch where your ‘behind the firewall’ equipment is connected to. Both NICs will be ‘bridged’ to one virtual ‘bridge’ interface.

Install Bridge-Utils

yum install bridge-utils

Create & modify network scripts

Create this config file:
/etc/sysconfig/network-scripts/ifcfg-br0

Sample:
DEVICE=br0
TYPE=Bridge
IPADDR=85.158.104.2
GATEWAY=85.158.104.1
NETMASK=255.255.255.0
ONBOOT=yes

Modify this config file:
/etc/sysconfig/network-scripts/ifcfg-eth0

Sample:
DEVICE=eth0
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

Modify this config file:
/etc/sysconfig/network-scripts/ifcfg-eth1

Sample:
DEVICE=eth1
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes

Restart your network

service network restart

Install and configure iptables

yum install iptables or yum update iptables

Example iptables commands;

Example:
# Flush firewall
iptables -X firewall
iptables -X
iptables -F
iptables -Z
# Setup firewall chain (all that's being blocked goes to this chain)
iptables -N firewall
iptables -A firewall -j LOG --log-level info --log-prefix "Firewall:"
iptables -A firewall -j DROP
# Setup rules INT->EXT
iptables -A FORWARD -s 85.158.104.3 -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -s 85.158.104.3 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -s 85.158.104.3 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 85.158.104.3 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 85.158.104.3 -p icmp -j ACCEPT
# Block anything else INT->EXT (send it to firewall chain)
iptables -A FORWARD -s 85.158.104.3 -p icmp -j firewall
iptables -A FORWARD -s 85.158.104.3 -p tcp --syn -j firewall
iptables -A FORWARD -s 85.158.104.3 -p udp -j firewall
# Setup rules EXT->INT
iptables -A FORWARD -d 85.158.104.3 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 85.158.104.3 -p icmp -j ACCEPT
iptables -A FORWARD -d 85.158.104.3 -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -d 85.158.104.3 -p tcp --sport 53 -j ACCEPT

# Block anything else EXT->INT (send it to firewall chain)
iptables -A FORWARD -d 85.158.104.3 -p icmp -j firewall
iptables -A FORWARD -d 85.158.104.3 -p tcp --syn -j firewall
iptables -A FORWARD -d 85.158.104.3 -p udp -j firewall

Save iptables config

iptables-save > /etc/sysconfig/iptables

Show iptables config

iptables -l