Support Documentation ClearOS Guides ClearBOX As A Transparent Inline Bridge

ClearBOX As A Transparent Inline Bridge

Overview

The purpose of this document is to configure a ClearBOX 100 (units that have network bypass) or ClearBOX 300 Series as an inline transparent bridge. The typical purpose of ClearOS as a transparent bridge may include ClearOS as a content filtration system.

For the purposes of this demonstration we will be configuring a ClearBOX 300 (Gen1) server as a content filtering bridge with a 'fail open' configuration on the bypass. We will have a system that is configured through the wizard with a gateway server, with no packages installed via the wizard, and with SSH open in the 'incoming firewall' rules. In addition, all updates were applied using 'yum update'.

Bridge

The first step is to configure ClearOS as a bridge. At the time of this writing, the ClearOS 6 GUI supports and recognizes bridges but cannot be used to configure them.

Edit the following files (leave the HWADDR and UUID lines alone):

/etc/sysconfig/network-scripts/ifcfg-eth0:

DEVICE=eth0
TYPE="Ethernet"
ONBOOT="yes"
USERCTL="no"
HWADDR="00:00:00:00:00:00"
UUID="00000000-0000-0000-0000-000000000000"
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-eth1:

DEVICE=eth1
TYPE="Ethernet"
ONBOOT="yes"
USERCTL="no"
HWADDR="00:00:00:00:00:00"
UUID="00000000-0000-0000-0000-000000000000"
BRIDGE=br0

/etc/sysconfig/network-scripts/ifcfg-br0:

DEVICE=br0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
BRIDGE_STP="yes"
IPADDR="192.168.1.2"
NETMASK="255.255.255.0"
GATEWAY="192.168.1.1"

/etc/sysconfig/network:

NETWORKING=yes
HOSTNAME="hostname.server.lan"
NOZEROCONF="yes"
GATEWAYDEV="br0"

Next, you need to make changes to the firewall. The firewall needs know about your new br0 network interface. In the /etc/clearos/network.conf configuration file, update the MODE, LANIF and EXTIF parameters.

MODE=“trustedgateway” EXTIF=“br0” LANIF=“br0”

After you have made these changes, reboot the system and test the bridge.

Content Filtration

From the Marketplace, install the 'Content Filter' module. Once it is installed, enable Transparent mode in the Proxy module and start the service. Start the Content Filter service as well in the Content Filter module.

You will also want to install the ebtables module:

yum install ebtables

Edit the file /etc/clearos/firewall.d/local and include the following lines:

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080

If you are ONLY doing proxy services, use the following rules instead:

ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Bypass/Fail-Open

Next, you will need a service to keep the shut down the bypass when the Content Filter is running. Begin by following the documentation for ClearBOX 100 or ClearBOX 300 Series for enabling the bypass on your system.

You will need to configure your system to disable the bypass when the content filter and proxy server are running. Create a file called /etc/init.d/bypassd. Next, change it so that it becomes a script:

chmod +x /etc/init.d/bypassd

bypassd

Fill the contents of this file with the following:

An app will soon be available to perform all of this.

!/bin/bash
#
# bypassd          Start/Stop the Bypass daemon.
#
# chkconfig: 2345 99 99
# description: Inline Bypass Daemon
# processname: bypassd

# Source function library.
. /etc/init.d/functions


#!/bin/sh
daemon=1
pid=0
# Set timeout period (how many seconds before the watchdog triggers)
period=7
# Set 'cf' to 0 if Content Filter is not used. Set to 1 if CF is required.
cf=1
if [ -f /sys/class/bypass/bypass-CAD0205VD-0/bp_type ]; then
	bypassdir=/sys/class/bypass/bypass-CAD0205VD-0/
fi
if [ -f /sys/bus/i2c/devices/0-0026/bp_type ]; then
	bypassdir=/sys/bus/i2c/devices/0-0026/
fi

echo 2 > $bypassdir/wdt0
echo $period > $bypassdir/period0

while [ $daemon = 1 ]; do 

#look for squid and dansguardian
pid=0
        while [ $pid = 0 ]; do
                if [ -f /var/run/squid.pid ]; then
			if [ $cf = "1" ]; then
                        	if [ -f /var/run/dansguardian-av.pid ]; then
                                	pid=1
                        	fi
			else
				pid=1
			fi
                fi
		sleep 3
        done


#Run WDT
	while [ $pid = 1 ]; do
		pid=1
		if [ ! -f /var/run/squid.pid ]; then
			pid=0
		else
			if [ $cf = "1" ]; then
	                       	if [ ! -f /var/run/dansguardian-av.pid ]; then
					pid=0
				fi
			fi
		fi
		echo 1 > $bypassdir/wdt0
		sleep 1
	done
sleep 1
done

}

Links


 
TryBuy