Shulou(Shulou.com)06/01 Report--

The production process of hardware bypass!

Real demand: WAF products, in many cases, need Bypass

What is bypass? Why bypass?

In the real application scenario, many times the business system (website) can not be interrupted, such as banks, e-commerce websites, if the system is interrupted, can not be accessed, the consequences are very serious.

And the security protection system has to be used, at this time, WAF must have Bypass function. Bypass means: if waf itself, or the server where waf is located, or WAF hardware, due to software or hardware reasons, crashes, power outages and other circumstances can not affect the normal operation of the business system.

The actual deployment mode is often reverse proxy mode (transparent proxy is essentially similar), that is, WAF is in front of the business system, and the visiting data needs to flow through the WAF before reaching the business system. In such a serial mode, if the WAF fails, it is necessary to ensure that the data can reach the business system. The feedback data of the business system can also be conveyed to the visitors normally.

There are usually two ways to implement it, one is to use multi-computer hot backup, the other is the hardware itself bypass. This article is about how to configure the system so that the server where WAF is located has the bypass function. It can also be said that this is the production process of hardware WAF.

System: Linux CentOS

Hardware requirements: Bypass network card

WAF software: ShareWAF (http://www.sharewaf.com/)

1. Preparatory work:

The ETH1 port connects to the external network and sets IP to it.

ETH2,ETH3 is a pair of Bypass ports for use as a bridge

The ETH3 port connects to the web server in the intranet.

2. System configuration to achieve transparent proxy:

Turn off centos 7 built-in firewall

Systemctl stop firewalld.service

Systemctl disable firewalld.service

Install iptables

Yum-y install iptables

Yum-y install iptables-services

Turn on iptables

Service iptables start

Clear Iptables built-in rules

Iptables-F

Install ifconfig

Yum-y install net-tools.x86_64

Install the bridge

Yum-y install bridge-utils

Set up the bridge

/ sbin/modprobe bridge

/ usr/sbin/brctl addbr br0 (set the bridge name to br0)

/ sbin/ifup enp4s0 (the network card to be added to the bridge, check it through ifconfig)

/ sbin/ifup enp5s0 (the network card to be added to the bridge)

Note: it is best to plug the accessible network cable into the network port before performing the above two steps, otherwise the execution time will be a little longer and the activation failure will be displayed.

If the above steps report an error:

Unable to create NMClient object GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: Method "GetManagedObjects" with signature "on interface" org.freedesktop.DBus.ObjectManager "doesn't exist

At this point, execute the following command:

Chkconfig NetworkManager off

Chkconfig network on

Service NetworkManager stop

Service network start

/ usr/sbin/brctl addif br0 enp4s0

/ usr/sbin/brctl addif br0 enp5s0

Set the bridge IP (for example: 192.168.1.73 set an IP in the private network segment)

Ifconfig br0 192.168.1.73 netmask 255.255.255.0

Open the bridge

/ sbin/ip link set br0 up

View

Sudo brctl show

Close

Ifconfig br0 down

Delete (close the bridge before deleting)

Sudo brctl delbr br0

Add content under / etc/sysctl.conf

Vi / etc/sysctl.conf

Move the cursor to the last line of the text, press o, right-click and select paste

Net.bridge.bridge-nf-call-ip6tables = 1

Net.bridge.bridge-nf-call-iptables = 1

Net.bridge.bridge-nf-call-arptables = 1

Net.ipv4.ip_forward = 1

Net.ipv4.ip_nonlocal_bind = 1

Net.ipv4.conf.default.rp_filter = 0

Net.ipv4.conf.all.rp_filter = 0

Net.ipv4.conf.br0.rp_filter = 0

1. Press esc 2. Input: 3. Then enter wq and enter enter.

To execute into effect.

Sysctl-p

If an error is reported:

Sysctl: cannot stat / proc/sys/net/bridge/bridge-nf-call-ip6tables: there is no such file or directory

Sysctl: cannot stat / proc/sys/net/bridge/bridge-nf-call-iptables: there is no such file or directory

Sysctl: cannot stat / proc/sys/net/bridge/bridge-nf-call-arptables: there is no such file or directory

Execute modprobe br_netfilter

Execute sysctl-p again

Add rout

/ sbin/ip-f inet rule add fwmark 1 lookup 100

/ sbin/ip-f inet route add local default dev lo table 100

Before adding a rule, first check to see if there are any other rules

Iptables-t Table name-L

If there are other rules, delete them

Rules of iptables-t table name-D chain name

Add Rul

Iptables-t nat-A PREROUTING-d 192.168.1.20-p tcp-- dport 80-j DNAT-- to-destination 192.168.1.73 PREROUTING 8080

Description:

192.168.1.20 web Server IP

80 web service port

192.168.1.73 Bridge IP

8080 ShareWAF port

Save Rul

Service iptables save

Above, the settings required for the transparent mode of the system have been completed. In order to realize the Bypass function in case of power outage or abnormality, it is also necessary to consult the Bypass network card or hardware manufacturer for its Bypass network card related programs and materials, such as "dog feeding program", script and so on.

3. Install NodeJS:

Yum-y install wget

Mv / etc/yum.repos.d/CentOS-Base.repo / etc/yum.repos.d/CentOS-Base.repo_bak

Wget-O / etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

Wget-O / etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

Yum clean all

Yum makecache

Wget https://nodejs.org/dist/v8.11.1/node-v8.11.1-linux-x64.tar.xz-- no-check-certificate

Tar-xvf node-v8.11.1-linux-x64.tar.xz

Mv node-v8.11.1-linux-x64 node-v8.11.1

Ln-s / root/node-v8.11.1/bin/node / usr/local/bin/node

Ln-s / root/node-v8.11.1/bin/npm / usr/local/bin/npm

4. Install ShareWAF

After getting the ShareWAF package, execute under its directory:

Npm init

If Express reports an error during installation, run: npm config set strict-ssl false

If Sqlite3 reports an error during installation, run: npm install sqlite3-- unsafe-perm

Done! At this point, the server with the bypass network card becomes a hardware WAF!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.