Iptables practice series: Public Network Service Firewall

BKJIA exclusive Article] This article will introduce an example of using iptables to ensure the security of network services. The enterprise network to be protected provides external public network services, including WWW, FTP, SMTP, and DNS.

1. application scenarios and network topology

In this application, we will need to use the iptables firewall to protect the public Internet services provided by the enterprise network, these services include the WWW Service, FTP service, SMTP service, and DNS service. For the specific network topology, see Figure 1 ). Therefore, these services have valid Internet addresses.

To isolate the Intranet segment 210.18.0/24 from the Internet, a packet filtering firewall is used between the internal network and the Internet. The specific IP Address Settings are as follows:

• The Intranet interface of the firewall is eth0IP address: 210.10.18.88), and the external Internet interface of the firewall is eth1IP address: 210.10.19.188 );
• WWW server: the IP address is 210.10.18.89;
• FTP server: the IP address is 210.10.18.90;
• DNS server: the IP address is 210.10.18.91;
• SMTP server: the IP address is 210.10.18.92.

Figure 1 firewall deployment instance

2. Firewall Configuration

The main purpose of this application is to protect the servers that provide various services to the enterprise network, so as to protect them from attacks and dangers of malicious users and traffic from the Internet.

1) create a script file: Use the touch command in the/etc/rc. d/directory to create an empty script file and run the chmod command to add executable permissions.

# touch /etc/rc.d/firewall-for-networkservice# chmod u+x /etc/rc.d/firewall-for-networkservice

2) edit/etc/rc. d/rc. add/etc/rc at the end of the local file. d/firewall-for-networkservice:

# echo “/etc/rc.d/firewall-for-networkservice” >>/etc/rc.d/rc.local

3) use the vi or gedit editor to edit the/etc/rc. d/firewall-for-networkservice file and insert the following content:

1) add the relevant script information. Note: The comments in the script are represented by "#" instead of "//".

# Add a script header #! /Bin/bash # display information on the screen echo "Starting iptables rules ..." # Enable the kernel forwarding function echo "1">/proc/sys/net/ipv4/ip_forward

2) define the variables important to use in the rule

# Define the variable include/sbin/iptablesWEB_SERVER = 210.10.18.89FTP _ SERVER = 210.10.18.90DNS _ SERVER = 210.10.18.91SMTP _ SERVER = 210.10.18.92PROTECT _ DOMAIN = "210.10.18.0/24"

3) refresh the basic chain rules and prohibit any packets from being forwarded.

$IPT_LIST -F$IPT_LIST -P FORWARD DROP

4) set the packet filtering rules for the Protection Server. Note that because server/client interaction is bidirectional, not only do you need to set the rule for data packet going out, but also set the rule for data packet return, as shown below:

# Protect WWW Service: the service port is 80 and the tcp or udp protocol is used # The rule is as follows: eth1 => allow the packet $ IPT_LIST-a forword-p tcp udp-d $ WEB_SERVER-dport WWW-I eth1-j ACCEPT # Protect FTP services for the purpose of the Intranet www server: the Service port is: command port 21 and data port 20. The FTP Service adopts the tcp protocol. # Rule: eth1 => allow packages for Intranet FTP servers $ IPT_LIST-a forword-p tcp-d $ FTP_SERVER-dport ftp-I eth1-j ACCEPT # Protect DNS services: DNS port 53 adopts the tcp or udp protocol # rule: eth1 => allow query requests for internal network DNS servers $ IPT_LIST-a forword-p tcp udp-d $ DNS_SERVER-dport dns-I eth1-j ACCEPT # Protect SMTP services: smtp port 25 adopts the tcp protocol # rule: eth1 => allow SMTP requests destined for the Intranet smtp server $ IPT_LIST-a forword-p tcp-d $ SMTP_SERVER-dport smtp-I eth1-j ACCEPT

4) execute the script to make the configuration rule take effect immediately

# /etc/rc.d/firewall-for-networkservice

So far, the configuration for using the firewall to Ensure network services has been completed. By executing the above script, we have established a relatively complete firewall. Because the firewall only opens a limited number of ports to the outside world, it can effectively limit the incoming traffic beyond these services, so as to ensure security. Of course, this example is very simple. You can also refine the firewall configurations for specific services in practice, for example, you can restrict the number of TCP requests that allow external networks to concurrently connect to the WWW Service, and restrict the list of IP addresses that allow Internet access to the FTP server. Here is just a brief example for the purpose.