Iptables practice series: Build DMZ

1. DMZ Principle

DMZ is the abbreviation of "demilitarized zone" in English. It is called "isolation zone" in Chinese, also known as "non-military zone ". It is a buffer zone between a non-security system and a security system to solve the problem that the external network cannot access the internal network server after the firewall is installed, this buffer zone is located in a small network area between the enterprise's internal network and the external network. Some public server facilities can be placed in this small network area, such as Enterprise Web servers, FTP servers, and forums. On the other hand, such a DMZ region is more effective in protecting the internal network, because such network deployment, compared with the general firewall solution, has another level for attackers. Network Structure 1. Network Device developers use this technology to develop firewall solutions. DMZ is usually a filtering subnet. DMZ constructs a security zone between the internal network and the external network.

Figure 1 DMZ

The DMZ firewall solution adds a security line for the internal network to be protected, which is generally considered to be very safe. At the same time, it provides public servers in a region, which can effectively avoid the conflict between the public and internal security policies of some interconnected applications. The DMZ area usually includes bastion hosts, Modem pools, and all public servers. However, you must note that e-commerce servers can only be used for user connection, real e-commerce background data needs to be placed in the internal network. In this firewall solution, there are two firewalls, the External Firewall defends against external network attacks, and manages access to DMZ from all internal networks. The internal firewall manages DMZ access to the internal network. The internal firewall is the third security line in the internal network (with the External Firewall and bastion host in front). When the External Firewall fails, it can also protect the internal network. In the LAN, Internet access is controlled by the internal firewall and the DMZ bastion host. In this structure, a hacker must pass through three independent regions (external firewalls, internal firewalls, and bastion hosts) to reach the LAN. The attack difficulty is greatly enhanced, and the security of the corresponding internal network is also greatly enhanced, but the investment cost is also the highest.

2. Build DMZ

1. Construction Principles

Linux uses iptables to replace ipfwadm and ipchains from the 2.4 kernel to implement the packet filtering function for Linux management. Linux package filtering is implemented through a kernel component called netfilter. Netfilter has three built-in tables. The default table Filter contains three rule chains, they are the INPUT chain responsible for data filtering from external network interfaces, the OUTPUT chain responsible for filtering the data OUTPUT from the network interfaces, and the FORWARD chain responsible for data filtering between network interfaces.

To build a firewall with DMZ in a Linux system, you need to use the settings of these chains. First, you need to judge the inbound data from the NIC (eth0) connected to the external network, which is completed on the INPUT chain. If the destination address of the data belongs to the DMZ network segment, the data will be forwarded to the network adapter (eth1) connected to the DMZ network; if it is the address of the internal network, it is necessary to forward the data to the network adapter (eth2) connected to the internal network. Table 1 shows the access permission relationships between networks:

Table 1 access relationship between DMZ and the Internet and Intranet

According to the table, the following six access control policies can be clarified:

◆ Intranet access to the Internet: Intranet users obviously need to access the Internet freely. In this policy, the firewall needs to convert the source address.

◆ Intranet access to DMZ: this policy is used to facilitate Intranet users to use and manage servers in DMZ.

◆ The Internet cannot access the Intranet: The intranet stores internal company data, which cannot be accessed by Internet users.

◆ Internet access to DMZ: the servers in DMZ are designed to provide services to the outside world. Therefore, the Internet must be able to access DMZ. At the same time, the firewall needs to convert the external address to the actual address of the server to access DMZ from the Internet.

◆ DMZ cannot access the Intranet: Obviously, if this policy is violated, an attacker can attack important data on the Intranet when attacking DMZ.

◆ DMZ cannot access the Internet: in some cases, this policy may have exceptions. For example, when an email server is placed in DMZ, you need to access the Internet; otherwise, it will not work properly.

2. Implementation of DMZ

You can set filtering rules for the Linux Firewall Based on the above access control policies. In a fictitious network environment, we will discuss how to establish firewall filtering rules based on the above six access control policies. The discussion here is different from the specific application, but this discussion will help the actual application. You can set the parameters based on your actual application. The network topology 2 of the virtual environment is shown.

Figure 2 DMZ Network Topology

2. The vro connects to the Internet and the firewall. The Linux server used as the Firewall uses three NICs: The NIC eth0 is connected to the router, the NIC eth1 is connected to the Hub in the DMZ area, and the NIC eth2 is connected to the Intranet Hub. As an abstract example, we use "[Intranet address]" to represent specific values such as "192.168.1.0/24. Likewise, there are "[Internet address]" and "[DMZ address]".

One principle of firewall is to disable all data communication by default and enable necessary communication. Therefore, at the beginning of the firewall script, you need to clear the original rules of the system, and then set the default rules of INPUT, OUTPUT, and FORWARD to discard all data packets.

1) basic firewall settings

The corresponding firewall script snippets are as follows:

# Flush out the tables and delete alluser-definedchains/sbin/iptables -F/sbin/iptables -X/sbin/iptables -t nat -F/sbin/iptables -t nat –X# Drop every packet/sbin/iptables -P INPUT DROP/sbin/iptables -P OUTPUT DROP/sbin/iptables -P FORWARD DROP

2) implementation of the six policies

1) Intranet access to the Internet

The corresponding firewall script snippets are as follows:

/Sbin/iptables-t nat-a postrouting-s [Intranet address]-d [Internet address]-oeth0-j SNAT -- to [NAT real IP address]

When the data flows out from the eth0 connected to the Internet, you must change the source address of the data packet from the Intranet to the real IP address on the Internet to communicate with the hosts on the Internet. "[NAT real IP address]" indicates the real IP address assigned to the NAT user. If there are a few, write a few. Separate them with spaces, but at least write one.

2) Access DMZ through the Intranet

The corresponding firewall script snippets are as follows:

/Sbin/iptables-a forward-s [Intranet address]-d [DMZ address]-I eth2-jACCEPT

The preceding command allows all data packets destined for DMZ to pass through the Intranet.

3) the Internet cannot access the Intranet.

The corresponding firewall script snippets are as follows:

/Sbin/iptables-t nat-a prerouting-s [Internet address]-d [Intranet address]-I eth0-jDROP

The preceding command discards all data packets from the Internet and from the Intranet.

4) Access DMZ through the Internet

To protect the servers in DMZ, access to DMZ from the Internet must also be restricted. The general idea is to allow only Internet access to the specific services provided by servers in DMZ, such as HTTP.

The corresponding firewall script snippets are as follows:

/Sbin/iptables-t nat-a prerouting-p tcp -- dport 80-d [real IP address allocated to the HTTP server on the Internet]-s [Internet address]-I eth0-j DNAT -- to [actual HTTP Server IP address]/sbin/iptables-a forward-p tcp-s [Internet address]-d [actual HTTP Server IP address]-ieth0 -- dport 80- j ACCEPT/sbin/iptables-a forward-p tcp-d [Internet address]-s [actual HTTP Server IP address]-ieth1 -- sport 80! -- Syn-j ACCEPT/sbin/iptables-t nat-a prerouting-s [Internet address]-d [DMZ address]-ieth0-j DROP

This firewall script segment will open the HTTP service so that only data packets that access the HTTP service in DMZ can pass through the firewall.

5) DMZ cannot access the Intranet

The corresponding firewall script snippets are as follows:

/Sbin/iptables-a forward-s [DMZ address]-d [Intranet address]-I eth1-jDROP

The preceding command discards all data packets from DMZ to the Intranet.

6) DMZ cannot access the Internet

The corresponding firewall script snippets are as follows:

/Sbin/iptables-t nat-a postrouting-p tcp -- dport 25-d [Internet address]-s [email server IP address]-o eth0-j SNAT -- to [Assign real IP address on the Internet of the SMTP server]/sbin/iptables-a forward-p tcp-s [email server IP address]-d [Internet address]-ieth1 -- dport 25- j ACCEPT/sbin/iptables-a forward-p tcp-d [email server IP address]-s [Internet address]-ieth0 -- sport 25! -- Syn-j ACCEPT

The preceding command allows the email server in DMZ to connect to the SMTP service port (25) on the Internet, and then disallow other data packets sent from DMZ to the Internet.

The basic rules for implementing the above basic policies are illustrated. In actual application, you need to set it according to the actual situation. As long as it is properly configured, Linux can also become a good firewall. It must be added that no matter what type of firewall, only limited protection can be provided. Setting a firewall does not mean that the network is secure. The key lies in the comprehensive use of various security measures.