Shulou(Shulou.com)06/01 Report--

Perfect Software Firewall realized by Iptables+L7+squid

Iptables uses the linux operating system as a software firewall to achieve macro protection. Packets first go through the firewall to the tcp/ip protocol stack. The firewall filters the data through some mechanisms of the kernel. There are five functions in the kernel: INPUT, OUTPUT, FORWARD, POSTROUTING and PREROUTING. The kernel cannot modify directly. We use the iptables user space tool to issue rules for these five functions. In order to filter the traffic, the architecture of the five functions is called netfilter, which can be divided into the following three categories according to the function of the function:

After nat:postrouting route judgment, that is, before snat,prerouting route judgment, that is, dnat.

Filter: achieve traffic filtering, input traffic target firewall, output traffic from the firewall, forward traffic through the firewall

Mangle:TOS 、 QOS

Here are five functions that filter traffic:

Input filters traffic entering the firewall

OUTput filters traffic from firewalls

Forward filters traffic passing through the firewall

Postrouting filters traffic out of an interface

Prerouting filters traffic coming in from an interface

In order to increase the function of iptables firewall (network layer filtering), L7 (layer 7 protocol modularization) patch can be added to enhance the filtering of traffic. In addition, adding squid (application layer filtering) can make the firewall more flexible, which can be combined to make the firewall more perfect.

Case study:

Request:

The company has three departments:

Engineering Department 192.168.20.10-192.168.20.20

Software Department 192.168.20.21-192.168.20.30

Manager Office 192.168.20.31-192.168.20.40

Working hours (08:20:00, Monday-Friday)

Engineering department: only access to 192.168.102.10 ftp during working hours, no login to qq, no Internet access, no restrictions after work.

Software department: you can surf the Internet through squid, but you are not allowed to visit the illegal site sina, the number of connections is up to 3, no pictures are allowed, and there is no restriction after work.

Manager's office: you can surf the Internet and log in to qq. There are no restrictions after work.

Dmz area: enable remote control for outsiders to control access.

Configuration steps:

Add layer7 patch to iptables to implement application layer filtering

Recompile the kernel

1. Merge kernel+layer7 patches

Tar jxvf linux-2.6.25.19.tar.gz2-C / usr/src/

Tar zxvf netfilter-layer7-v2.20.tar.gz-C / usr/src/

Cd / usr/src/linux-2.6.25.19/

Patch-p1

< /usr/src/netfilter-layer7-v2.20/kernel-2.6.25-layer7-2.20.patch 2、配置新内核 cp /boot/config-2.6.18-8.el5 .config//沿用旧的内核配置 make menuconfig //配置内核时，在"Networking --->

There are two main points to note in Networking Options-- > Network Packet filtering framework (Netfilter):-> Core Netfilter Configuration compiles the "Netfilter connection tracking suport (NEW)" selection to module (M), which you need to select to see the configuration supported by layer7.

/ / layer7, string, state, time, IPsec, iprange, connlimit. And so on compiled into modules, according to the need to do. -> IP: Netfilter Configuration compiles "IPv4 connection tracking support (require for NAT)" into a module. Compile "MASQUERADE target support" and "REDIRECT target support" under "Full NAT" into modules.

3. Compile and install modules, new kernel

Make & & make modules_install & & make install

After compilation and installation, restart and choose to boot the system with a new kernel (2.6.25.19)

Recompile iptables

1. Uninstall existing iptables

Rpm-e iptables iptstat-- nodeps

2. Merge iptables+layer7 patches

Tar jxvf iptables-1.4.2.tar.bz2-C / usr/src/

Cd / usr/src/netfilter-layer7-v2.20/iptables-1.4.1.1-for-kernel-2.6.20forward/

Cp libxt_layer7.c libxt_layer7.man / usr/src/iptables-1.4.2/extensions/

3. Compile and install

Cd / usr/src/iptables-1.4.2/

. / configure-prefix=/-with-ksource=/usr/src/linux-2.6.25.19

Make & & make install

4. Install the l7-protocols mode package

Tar zxvf l7-protocols-2008-10-04.tar.gz-C / etc/

Mv / etc/l7-protocols-2008-10-04 / etc/l7-protocols

Next, configure the firewall:

Install squid

[root@localhost Server] # rpm-ivh squid-2.6.STABLE21-3.el5.i386.rpm

View Rul

[root@localhost] # iptables-L

Chain INPUT (policy ACCEPT)

Targetprot opt sourcedestination

Chain FORWARD (policy ACCEPT)

Targetprot opt sourcedestination

Chain OUTPUT (policy ACCEPT)

Targetprot opt sourcedestination

Make sure you can connect to the firewall properly.

[root@localhost] # iptables-t filter-An INPUT-s 192.168.20.129-p tcp-- dport 22-j ACCEPT

[root@localhost] # iptables-t filter-An OUTPUT-d 192.168.20.129-p tcp-- sport 22-j ACCEPT

Deny all traffic that passes through the firewall

[root@localhost ~] # iptables-P INPUT DROP

[root@localhost ~] # iptables-P OUTPUT DROP

[root@localhost ~] # iptables-P FORWARD DROP

Allow intranet user traffic to exit the eth3 Nic through POSTROUTING

[root@localhost] # iptables-t nat-A POSTROUTING-s 192.168.20.0 Unip 24-o eth3-j MASQUERADE

Allow engineering staff to access ftp during office hours

[root@localhost] # iptables-t filter-A FORWARD-m iprange-- src-range 192.168.20.10-192.168.20.20-m time-- timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-p tcp-- dport 21-j ACCEPT

Receive all traffic entering the intranet

[root@localhost] # iptables-t filter-A FORWARD-m state-- state ESTABLISHED,RELATED-j ACCEPT

Only engineering staff are allowed to access ftp of 192.168.102.10 during working hours.

[root@localhost] # iptables-t filter-R FORWARD 1-m iprange-- src-range 192.168.20.10-192.168.20.20-m time-- timestart 08:00-- timestop 20:00-o eth3-- weekdays Mon,Tue,Wed,Thu,Fri-p tcp-- dport 21-j ACCEPT

Verification

[root@localhost ~] # date

Thu May 16 10:00:04 CST 2013

Engineering staff are not allowed to log on to qq during office hours

[root@localhost] # iptables-t filter-A FORWARD-m iprange-- src-range 192.168.20.10-192.168.20.20-m time-- timestart 08:00-- timestop 20lv 00luo eth3-- weekdays Mon,Tue,Wed,Thu,Fri-m layer7-- l7proto qq-j DROP

[root@localhost ~] # date

Thu May 16 10:06:47 CST 2013

Unlimited off-duty hours

[root@localhost] # iptables-t filter-A FORWARD-s 192.168.20.0 eth3 24-m time-- timestart 20:01-- timestop 07:59-o eth3-j ACCEPT

[root@localhost ~] # date-s 21:00:00

Thu May 16 21:00:00 CST 2013

The software department uses the squid agent when accessing the public network

[root@localhost] # iptables-t nat-A PREROUTING-m iprange-- src-range 192.168.20.21-192.168.20.30-p tcp-- dport 80-j REDIRECT-- to-port 3128

Edit squid profile

Allow traffic to enter the firewall through the squid port to view the cache

[root@localhost] # iptables-t filter-An INPUT-p tcp-- dport 3128-j ACCEPT

[root@localhost] # iptables-t filter-An INPUT-m state-- state ESTABLISHED-j ACCEPT

Allow squid to use its own address to access the external network

[root@localhost] # iptables-t filter-An OUTPUT-p tcp-- dport 80-j ACCEPT

[root@localhost] # iptables-t filter-An OUTPUT-m state-- state ESTABLISHED-j ACCEPT

Allow software departments and managers to use external dns for traffic through eth3

[root@localhost] # iptables-t filter-A FORWARD-m iprange-- src-range 192.168.20.21-192.168.20.40-p udp-- dport 53-o eth3-j ACCEPT

[root@localhost ~] # vim / etc/resolv.conf

[root@localhost ~] # vim / etc/squid/squid.conf

[root@localhost] # iptables-t filter-An OUTPUT-p udp-- dport 53-j ACCEPT

[root@localhost ~] # vim / etc/squid/squid.conf

[root@localhost ~] # vim / etc/squid/squid.conf

[root@localhost ~] # vim / etc/squid/squid.conf

The working hours of the manager are not restricted.

[root@localhost] # iptables-t filter-A FORWARD-m iprange-- src-range 192.168.20.31-192.168.20.40-m time-- timestart 08:00-- timestop 20:00-- weekdays Mon,Tue,Wed,Thu,Fri-p tcp-- dport 80-o eth3-j ACCEPT

DMZ

Allow access from eth3 ports to port 3389 of 192.168.3.200 in the dmz area

[root@localhost] # iptables-t nat-A PREROUTING-I eth3-d 192.168.102.200-p tcp-- dport 3389-j DNAT-- to 192.168.3.200

[root@localhost] # iptables-t filter-A FORWARD-d 192.168.3.200-p tcp-- dport 3389-j ACCEPT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.