Building a DMZ with a Linux firewall

The importance of defending in cyber security is needless to say. The most common way to protect your network is to use a firewall. Firewalls act as the first line of defense on a network, usually between an extranet and a network that needs to be protected. The simplest situation is to put the firewall directly between the external network and the corporate network, all the data flow into the enterprise network will pass the firewall, so that all clients and servers in the enterprise are under the protection of the firewall. This is simple and easy for some small and medium sized enterprises, and in some cases the solution is good. However, this structure is simpler after all. There are many servers, clients and other resources in the enterprise need to be protected, and different resources have different requirements for security intensity. It is not possible to treat the server with the security level of the client, so that the server will be dangerous and, similarly, not to treat the client with the security level of the server, so the user will feel very inconvenient.

To provide different levels of security for different resources, consider building a zone called the "demilitarized Zone" (DMZ). The DMZ can be understood as a special network area different from the extranet or intranet. In the DMZ, there are common servers that do not contain confidential information, such as Web, Mail, FTP, and so on. This allows visitors from the extranet to access services in the DMZ, but is unlikely to be exposed to company secrets or private information stored in the intranet. Even if the server in the DMZ is compromised, it does not affect confidential information on the intranet.

Many firewall products provide an interface to the DMZ. The hardware firewall uses the specialized hardware chip, therefore has the absolute superiority in the performance and the flow. Software firewall cost-effective is very good, the general enterprise use up the effect is good. If you use a Linux firewall, the cost will be lower. So here's how to divide the DMZ area on a Linux firewall.

Strategies for building a DMZ

Linux starts with the 2.4 kernel and uses iptables instead of the previous ipfwadm and IPChains to implement the packet filtering function of Linux management. Linux packet filtering is implemented through a kernel component called NetFilter. NetFilter built three tables, where the default table filter also includes 3 rule chains, respectively, is responsible for the external flow of data into the network interface of the input chain, responsible for the output of the network interface to filter the outputs of the data chain, and responsible for the network interface between the data filtering Forward chain. To build a firewall with a DMZ, you need to use the set of these chains to complete. The first thing to do is to judge the data that flows from the network card (eth0) that is connected to the external networks, which is done on the input chain. If the target address of the data belongs to the DMZ segment, the data is forwarded to the network card (ETH1) connected to the DMZ, and if the address of the internal network, the data is forwarded to the NIC (eth2) connected to the internal network. Table 1 shows the access relationships between individual networks.

Table 1 Inter-Network access relations table

Intranet External Network DMZ

Intranet/Y Y

External network n/y

DMZ N/N/

According to table 1, the following six access control policies can be identified.

1. Intranet can access the external network

Intranet users clearly need to be free to access the extranet. In this policy, the firewall requires a source address translation.

2. Intranet access to DMZ

This strategy is designed to facilitate intranet users to use and manage servers in the DMZ.

3. External network can not access the intranet

Obviously, inside the intranet is the company internal data, this data does not allow the extranet user to visit.

4. External network can access the DMZ

The servers in the DMZ themselves are meant to provide services to the outside world, so the extranet must have access to the DMZ. At the same time, extranet access to the DMZ requires the firewall to complete the conversion of the external address to the actual address of the server.

5.DMZ Cannot access intranet

Obviously, if this strategy is violated, the intruder will be able to further attack the important data in the intranet when it is captured in the DMZ.

6.DMZ Cannot access extranet

There are exceptions to this policy, such as the need to access the extranet when placing mail servers in the DMZ, otherwise it will not work properly.

Implementation of the DMZ

According to the above access control policy can set the Linux firewall filtering rules. In a fictitious network environment, we will explore how to establish the corresponding firewall filtering rules according to the above six access control policies. The discussion here and the specific application will be different, but this discussion will be useful for practical applications. Users in the actual application can be set according to the specific circumstances. The network topology for this virtual environment is shown in Figure 1.

Figure 1 DMZ network topology map

As shown in Figure 1, routers are connected to the Internet and firewalls. As a firewall of the Linux server using three network card: Network card eth0 connected with the router, network card eth1 and the hub of the DMZ connected, network card eth2 and intranet hub connected. As an abstract example, we use "[Intranet address]" to represent specific values such as "192.168.1.0/24". In the same vein, "[Extranet address]" and "[DMZ address]".

For firewalls, one of the principles is to disable all data communications by default and then open the necessary traffic. So at the beginning of the firewall script, you need to clear the original rules of the system and then set the default rules for input, OUTPUT, and forward to discard all packets.