The purpose of this document is to configure a ClearBOX 100 (units that have network bypass) or ClearBOX 300 Series as an inline transparent bridge. The typical purpose of ClearOS as a transparent bridge may include ClearOS as a content filtration system.
For the purposes of this demonstration we will be configuring a ClearBOX 300 (Gen1) server as a content filtering bridge with a 'fail open' configuration on the bypass. We will have a system that is configured through the wizard with a gateway server, with no packages installed via the wizard, and with SSH open in the 'incoming firewall' rules. In addition, all updates were applied using 'yum update'.
The first step is to configure ClearOS as a bridge. At the time of this writing, the ClearOS 6 GUI supports and recognizes bridges but cannot be used to configure them.
Edit the following files (leave the HWADDR and UUID lines alone):
DEVICE=eth0 TYPE="Ethernet" ONBOOT="yes" USERCTL="no" HWADDR="00:00:00:00:00:00" UUID="00000000-0000-0000-0000-000000000000" BRIDGE=br0
DEVICE=eth1 TYPE="Ethernet" ONBOOT="yes" USERCTL="no" HWADDR="00:00:00:00:00:00" UUID="00000000-0000-0000-0000-000000000000" BRIDGE=br0
DEVICE=br0 TYPE="Bridge" ONBOOT="yes" USERCTL="no" BOOTPROTO="static" BRIDGE_STP="yes" IPADDR="192.168.1.2" NETMASK="255.255.255.0" GATEWAY="192.168.1.1"
Next, you need to make changes to the firewall. The firewall needs know about your new br0 network interface. In the /etc/clearos/network.conf configuration file, update the MODE, LANIF and EXTIF parameters.
MODE=“trustedgateway” EXTIF=“br0” LANIF=“br0”
After you have made these changes, reboot the system and test the bridge.
From the Marketplace, install the 'Content Filter' module. Once it is installed, enable Transparent mode in the Proxy module and start the service. Start the Content Filter service as well in the Content Filter module.
You will also want to install the ebtables module:
yum install ebtables
Edit the file /etc/clearos/firewall.d/local and include the following lines:
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8080
If you are ONLY doing proxy services, use the following rules instead:
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Next, you will need a service to keep the shut down the bypass when the Content Filter is running. Begin by following the documentation for ClearBOX 100 or ClearBOX 300 Series for enabling the bypass on your system.
You will need to configure your system to disable the bypass when the content filter and proxy server are running. Create a file called /etc/init.d/bypassd. Next, change it so that it becomes a script:
chmod +x /etc/init.d/bypassd
Fill the contents of this file with the following:
!/bin/bash # # bypassd Start/Stop the Bypass daemon. # # chkconfig: 2345 99 99 # description: Inline Bypass Daemon # processname: bypassd # Source function library. . /etc/init.d/functions #!/bin/sh daemon=1 pid=0 # Set timeout period (how many seconds before the watchdog triggers) period=7 # Set 'cf' to 0 if Content Filter is not used. Set to 1 if CF is required. cf=1 if [ -f /sys/class/bypass/bypass-CAD0205VD-0/bp_type ]; then bypassdir=/sys/class/bypass/bypass-CAD0205VD-0/ fi if [ -f /sys/bus/i2c/devices/0-0026/bp_type ]; then bypassdir=/sys/bus/i2c/devices/0-0026/ fi echo 2 > $bypassdir/wdt0 echo $period > $bypassdir/period0 while [ $daemon = 1 ]; do #look for squid and dansguardian pid=0 while [ $pid = 0 ]; do if [ -f /var/run/squid.pid ]; then if [ $cf = "1" ]; then if [ -f /var/run/dansguardian-av.pid ]; then pid=1 fi else pid=1 fi fi sleep 3 done #Run WDT while [ $pid = 1 ]; do pid=1 if [ ! -f /var/run/squid.pid ]; then pid=0 else if [ $cf = "1" ]; then if [ ! -f /var/run/dansguardian-av.pid ]; then pid=0 fi fi fi echo 1 > $bypassdir/wdt0 sleep 1 done sleep 1 done }