Shulou(Shulou.com)06/01 Report--

This article mainly explains the "free self-built Linux firewall method", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's train of thought slowly in depth, together to study and learn "free self-built Linux firewall method"!

I. types and design strategies of firewalls

When constructing a firewall, two ways are often used: packet filtering and application proxy service. Packet filtering refers to the establishment of packet filtering rules, according to these rules and the information of the IP packet header, at the network layer to determine whether the packet is allowed or denied. For example, the use of FTP is allowed or prohibited, but specific features of FTP (such as the use of Get and Put) cannot be prohibited. The application proxy service is completed by the proxy server located between the intranet and the extranet. It works in the application layer and proxies all kinds of service requests for users to enter and leave the network, such as FTP and Telenet.

At present, firewalls generally adopt the structure of dual host (Dual-homedFirewall), shielded host (ScreenedHostFirewall) and shielded subnet (ScreenedSubnetFirewall). Dual homestay structure means that the computer that undertakes the task of agent service has at least two network interfaces connected to the intranet and the extranet. The shielded host structure means that the computer that undertakes the task of agent service is only connected to the host of the intranet. The shielded subnet structure adds an additional security layer to the shielded host structure, that is, a peripheral network is added to further separate the intranet from the extranet.

Firewall rules are used to define which packets or services are allowed / denied. There are two main policies. One is to allow any access first, and then specify the denied items; the other is to deny any access first, and then specify the allowed items. Generally speaking, we will adopt the second strategy. Because from a logical point of view, it is easier to specify a smaller list of rules in a firewall that is allowed through the firewall than to specify that a larger list is not allowed through the firewall. From the perspective of the development of Internet, new protocols and services continue to emerge, and there is time to review security vulnerabilities before allowing these protocols and services to pass through the firewall.

2. Implementation of firewall based on Linux operating system.

The firewall based on Linux operating system is a compound firewall composed of packet filtering firewall and packet filtering and proxy service based on the packet filtering ability of its kernel. Next, let's take a look at how to configure a dual-homed Linux-based firewall.

Due to the different kernels of Linux, the packet filtering settings provided are also different. IpFwadm is based on ipfw in Unix and is only applicable to previous kernels of Linux2.0.36; for later versions of Linux2.2, Ipchains is used. IpFwadm and Ipchains work in a very similar way. Of the four chains configured with them, three are defined at startup of the Linux kernel: InputChains, OutputChains, and ForwardChains, as well as a user-defined chain (UserDefinedChains). The inbound chain defines the filtering rules for incoming packets, the outgoing chain defines the filtering rules for outbound packets, and the forwarding chain defines the filtering rules for forwarding packets.

These chains determine how to handle incoming and outgoing IP packets, that is, when a packet comes in from a network card, the kernel uses the rules of entering the chain to determine the flow direction of the packet; if it is allowed to pass, the kernel determines where the packet is sent next, and if it is sent to another machine, the kernel uses the rules of the forwarding chain to determine the flow direction of the packet. Before a packet is sent, the kernel uses the rule of outgoing chain to determine the flow direction of the packet. Each rule in a particular chain is used to determine the IP package. If the package does not match the first rule, then the next rule is checked. When a matching rule is found, the rule specifies the destination of the package, which may be a user-defined chain or Accept, Deny, Reject, Return, Masq, Redirect, etc.

Accept refers to allowing passing; Deny refers to rejecting; Reject refers to discarding the received packet but generating an ICMP reply to the sender; Return refers to stopping rule processing and skipping to the end of the chain; Masq refers to working on user-defined chain and outbound chain, causing the kernel to camouflage the packet; and Redirect only works on incoming chain and user-defined chain, causing the kernel to resend the packet to the local port. In order for Masq and Redirect to work, we can select Config_IP_Masquerading and Config_IP_Transparent_Proxy respectively when compiling the kernel.

Suppose there is a local area network to connect to the Internet, and the public network address is 202.101.2.25. According to the RFC1597, the private address of the intranet uses the class C address 192.168.0.0192.168.255.0. For convenience, let's take three computers as an example. In fact, it can be expanded to a maximum of 254 computers.

The specific steps are as follows:

1. Install two network cards ech0 and ech2 on a Linux host, assign an intranet private address 191.168.100.0 to the ech0 network card to connect with the Intranet, and assign a public network address 202.101.2.25 to the ech2 network card to connect with the Internet.

2. Set up inbound, forward, outgoing and user customized chains on the Linux host. This paper adopts the setting strategy of allowing all information to flow in and out, as well as forwarding packets, but forbidding some dangerous packets, such as IP spoofing packets, broadcast packets and ICMP service type attack packets.

The specific settings are as follows:

(1) refresh all rules

(2) set the initial rules

(3) set local loop rules

Packets between local processes are allowed to pass.

(4) IP deception is prohibited

(5) broadcast packets are prohibited

(6) set ech0 forwarding rules

(7) set ech2 forwarding rules

Save the rules to the / etc/rc.firewallrules file, give the file execution permission with chmod, and add a line / etc/rc.firewallrules in / etc/rc.d.rc.local so that the rules take effect when the system boots.

Through the configuration of the above steps, we can build a packet filtering firewall based on the Linux operating system. It has the advantages of simple configuration, high security and strong resistance, especially the construction of firewall with minimum input and maximum output by using idle computer and free Linux operating system. In addition, if you add a proxy server, such as the TIS Firewall Toolkit free package, to the packet filtering, you can build a more secure composite firewall.

Thank you for your reading, the above is the content of "free self-built Linux firewall method". After the study of this article, I believe you have a deeper understanding of the method of free self-built Linux firewall, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.