Shulou(Shulou.com)06/01 Report--

How to build a firewall under LINUX, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

What is a firewall

Firewall (firewall) refers to a combination of software or hardware devices, located between the enterprise or network group computer and the external channel (Internet), restricting the access of external users to the internal network and managing the access of internal users to the external network. The main purpose is to control the round-trip access to the protected network (that is, the network), so that the passage of each connection point can be checked and evaluated.

From its birth to the present, the firewall has gone through four stages of development: the firewall based on router, the customized firewall toolkit, the firewall built on the general operating system, and the firewall with secure operating system. At present, most of the firewalls provided by firewall suppliers are firewalls with a combination of software and hardware with a secure operating system, such as NETEYE, NETSCREEN, TALENTIT and so on. There are also many firewall software on the LINUX operating system, in addition to the following special introduction of IPCHAINS, there are many, such as: Sinus Firewall, Jfwadmin and so on.

Structurally speaking, the current firewalls can be divided into two types:

1) proxy host structure

Internal Network proxy Gateway (Proxy Gateway) Internet

2) Router plus filter structure

Internal Network filter (Filter) Router (Router) Internet

Second, the principle of constructing LAN firewall with IPCHAINS.

In fact, in essence, the construction of local area network firewall with IPCHAINS is also an interactive application of Cpact S mode. In general, the service that the server provides a specific function is always provided by a specific daemon. In TCP/IP networks, this particular service is often bound to a specific TCP or UDP port. After that, the daemon keeps listening to the port (listen). Once it receives a qualified client request, the service makes a TCP handshake and establishes a connection with the client to respond to the client request. At the same time, another copy of the binding is generated to continue listening to the client's request.

IPCHAINS is such a SERVER. Monitor, check, evaluate, forward, reject and other actions are carried out for requests from the intranet to Intenet or from the outside to the intranet.

Common services, protocols, and default ports.

Service type protocol port

WWW TCP/UDP 80

TELNET

ICMP

SMTP

POP3

FTP

DNS

Third, the steps of using IPCHAINS as firewall

1. Installation

The current version of IPCHAINS has grown to 1.3.9. Generally, LINUX will be installed when you install it. If not, you can download it from www.linux.org. Below, the author takes TLC4.0 as an example to install IPCHAINS. Since it requires the support of IP-MASQ, make sure that the IP-MASQ module is installed.

In TLC4.0, put the CD in the CD drive

# turbopkg

And select ipchains, then press OK to install automatically.

If you are downloading the ipchains installation package:

1) if it is a rpm package:

# rpm-ivh * .rpm

2) if it is a .tar.gz package

# tar xvfz * .tar.gz (untie the package first)

Then go to unlock the directory.

#. / configure

# make

# make install

This makes the installation successful.

two。 Enable ipchains

Manually modify the / proc/sys/net/ipv4/ipforward file to set its contents to 1.

Create a rc.ipfwadm file with the touch command in the / etc/rc.d/ directory

Add the following code to the rc.local file in the / etc/rc.d/ directory:

If [- f / etc/rc.d/rc.ipfwadm]; then / etc/rc.d/rc.ipfwadm; fi

All future ipchains configuration commands will be modified in the rc.ipfwadm file.

3. Configure ipchains (basic application)

Ipchains manages machines by using the ip address of the machine as a flag, so first make sure that the ip address of the machine on your LAN has been assigned and that you are quite familiar with it.

The configuration rules of Ipchains generally revolve around the three rules of input, output and ipforward, in which input refers to the filtering rules for internal connection requests, output refers to the filtering rules for external connection requests, and ipforward refers to the forwarding of internal and external communication packets. The command format for Ipchains is generally:

Ipchains [ADC] ipchains rules [ipchains options].

Refer to the relevant HOWTO documentation for detailed usage of the command.

Now let's assume that the intranet segment of the enterprise is 192.168.1.0 to 192.168.1.255. The IP address of the host of the firewall is 192.168.1.1, assuming that the current firewall is surfing the Internet by proxy and rejects all external telnet. Restrict internal users' access to external sites and grant some machine privileges to arbitrarily access external machines, deny some internal machines access to Internet, and so on. The schematic diagram of the network segment is:

+-+

| | Internal IP address range | 192.168.1.1 ISDN, PSDN |

| | +-| firewall | Internet |

| | 192.168.1.0 | +-+ |

+-+

There are generally two ways to configure ipchains firewall rules:

1) allow all packets first, and then prohibit dangerous packets from passing through the firewall

2) first disable all packets, and then allow specific packets to pass through the firewall according to the desired service.

In comparison, the second approach is safer.

Here are the contents of my rc.ipfwadm file:

/ sbin/depmod-a

/ * automatically load the required modules. If you think this is dangerous, you need to specify the installation module manually. You can specify the loading module manually as shown in the following paragraph * /

# / sbin/modprobe / lib/modules/2.2.10/ipv4/ip_masq_ftp

/ * load ftp module disguised by ip * /

# / sbin/modprobe / lib/modules/2.2.10/ipv4/ip_masq_irc

/ * load irc module disguised by ip * /

# / sbin/modprobe / lib/modules/2.2.10/ipv4/ip_masq_raudio

# / sbin/modprobe / lib/modules/2.2.10/ipv4/ip_masq_user

# / sbin/modprobe / lib/modules/2.2.10/ipv4/ip_masq_autofw

/ sbin/modprobe-a-t / lib/modules/2.2.10/ipv4/ip_masq*

/ * automatically load relevant modules of ip camouflage * /

Ipchains-F

/ * refresh all ipchains rules * /

Ipchains-P forward DENY

/ * refuse to forward all ip packets * /

/ * allow specific packets to pass through * /

/ * set up a host with higher permissions * /

Ipchains-A forward-s 192.168.1.10 Universe 32-j MASQ

/ * allow unrestricted access to the internal 192.168.1.10 host. For example, the general manager * /

Ipchains-A forward-s 192.168.1.12 Universe 32-j MASQ

/ * allow unrestricted access to the internal 192.168.1.12 host. For example, the system administrator adds * / in turn.

Ipchains-A forward-s 192.168.1.41 Universe 32-j MASQ

/ * Host address of for example linuxbird: 192.168.1.41 /

/ * some machines cannot be connected to the outside due to need * /

Ipchains-A forward-s 192.168.1.3 Universe 32-j DENY

/ * this machine is dedicated to internal documents and cannot access the outside * /

/ * set the sites that can be accessed by internal ordinary users * /

Ipchains-A forward-d 202.101.98.55 ipchains 32-j MASQ # FJ-DNS

Ipchains-A forward-d 202.101.0.133 Universe 32-j MASQ # FJ-DNS

/ * this is the DNS server for surfing the Internet. I use the DNS*/ of Fuzhou Telecommunication Bureau.

/ * the following sites can be accessed by ordinary users, which can be added, deleted or modified as needed * /

Ipchains-A forward-d 202.101.98.50 ipchains 32-j MASQ

/ * public.fz.fj.cn*/

Ipchains-A forward-d 202.101.98.60 ipchains 32-j MASQ

/ * pub5.fz.fj.cn*/

Ipchains-A forward-d 202.96.44.14 Universe 24-j MASQ

/ * freemail.263.net*/

Ipchains-A forward-d 202.99.11.120 MASQ 32-j

/ * www.linuxaid.com.cn*/

Ipchains-A forward-d 205.227.44.44 Universe 24-j MASQ

/ * www.oracle.com*/

Ipchains-A forward-d 205.227.44.46 Universe 32-j MASQ

/ * lliance.oracle.com*/

# ipchains-A forward-d 205.227.44.237 MASQ 32-j

/ * support.oracle.com*/

Ipchains-A forward-d 209.246.5.38 Universe 24-j MASQ

/ * technet.oracle.com*/

Ipchains-A forward-d 137.69.200.8 MASQ 32-j

/ * www.legato.com*/

Ipchains-A forward-d 202.96.125.102 Universe 32-j MASQ

/ * www.188.net*/

Ipchains-A forward-d 207.105.83.51 MASQ 32-j

/ * www.borland.com*/

Ipchains-A forward-d 207.46.131.30 Universe 24-j MASQ

/ * www.microsoft.com*/

Ipchains-A forward-d 207.46.130.30 Universe 24-j MASQ

/ * www.microsoft.com*/

Ipchains-A forward-d 204.146.81.99 Universe 32-j MASQ

/ * www.ibm.com*/

Ipchains-A forward-d 202.102.24.74 Universe 24-j MASQ

/ * www.lodesoft.com*/

Ipchains-A forward-d 210.77.34.109 Universe 32-j MASQ

/ * www.csdn.net*/

Ipchains-A forward-d 192.138.151.66 Universe 32-j MASQ

/ * www.sybase.com*/

Ipchains-A forward-d 202.102.26.1 Universe 32-j MASQ

/ * www.nari-china.com*/

Ipchains-A forward-d 202.102.26.51 Universe 32-j MASQ

/ * www.aeps-info.com*/

Ipchains-A forward-d 202.106.185.2 Universe 32-j MASQ

/ * www.sohu.com * /

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.