The 3rd chapter, the packet filter firewall configuration example
3.1 Building a packet filter firewall
3.1.1 Network structure
This section establishes a packet filtering firewall for a network structure.
This network structure assumes that the intranet has a valid Internet address. To isolate the internal segment 198.168.80.0/24 from the Internet, a packet filtering firewall is used between the internal network and the Internet. The network interface of the firewall is eth1 (198.168.80.254), and the Internet interface of the firewall is eth0 (198.199.37.254). Plus, there are 3 servers outside the intranet to provide services. respectively:
→www Server: IP address is 198.168.80.251
→FTP Server: IP address is 198.168.80.252
→e-mail Server: IP address is 198.168.80.253
The establishment process of 3.1.2 Firewall
This example is primarily to provide protection for the various servers within. This firewall is established using the method of editing and executing the executable script below. This process is as follows:
#!/sbin/bash
#在屏幕上显示信息
echo "Starting iptables rules ..."
#开启内核转发功能
echo "1" >;/proc/sys/net/ipv4/ip_forward
#定义变量
Ipt=/sbin/iptables
www-server=198.168.80.251
ftp-server=198.168.80.252
email-server=198.168.80.253
Ip_range= "198.168.80.0/24"
#刷新所有的链的规则
$IPT-F
#首先禁止转发任何包, and then step through the allowed packages
#所以首先设置防火墙FORWARD链的策略为DROP
$IPT-P FORWARD DROP
#下面设置关于服务器的包过滤规则
#由于服务器/Client interaction is bidirectional, so not just to set up the packet
#出去的规则, and set the rules for packet return
#
# (1) WWW service
#服务端口为80, using TCP or UDP protocol
#规则为eth0 =>; packages that allow for intranet WWW server purposes
$IPT-A forward-p tcp-d $WWW-server-dport www-i eth0-j ACCEPT
#
# (2) FTP service
#服务端口为21, Data port 20
#FTP的传输模式有主动和被动之分, the FTP service uses the TCP protocol
#规则为:eth0=>; only allow packages that are intended for the intranet FTP server
$IPT-A forward-p tcp-d $FTP-server-dport ftp-i eth0-j ACCEPT
#
# (3) Email service
#包含两个协议, one is SMTP and the other is POP3
#出于安全性考虑, usually only provide internal POP3 services
#所以在这里我们只考虑对smtp的安全性问题
#smtp端口为25, using TCP protocol
#规则为etho =>; only allow SMTP requests for an e-mail server for the purpose