Build a firewall experiment environment based on netfilter/iptables

As a mechanism to enforce access control between networks or systems, firewall is an important means to ensure network security. You can customize different firewall systems based on different requirements and application environments. The firewall can be large enough to consist of several routers and bastion hosts, or small to the packet filtering function provided by a firewall software package on the network operating system. Among many network firewall products, the firewall software on Linux operating systems has significant features. First, the Linux operating system, as a Unix-like network operating system, has unique advantages in terms of system stability, robustness, and low price. More importantly, Linux not only completely opens the source code, but also contains all the service software packages required to establish an Internet network environment, such as Apache Web server, DNS server, Mail server, and Database server. Similarly, Linux-based firewall software not only has powerful functions, but most of them are open software.

With the rapid development of the Internet, security issues become more and more important. Using Linux to build a corporate network is favored by small and medium-sized enterprises, and using Linux to build a corporate network firewall system has become an ideal choice for many small and medium-sized enterprises. The Linux kernel has been available for packet filtering since version 1.1. In kernel 2.0, Ipfwadm is used to operate the kernel's packet filtering rules. By Version 2.2, the Linux kernel uses Ipchains to control kernel packet filtering rules. When it develops to 2.4.x, Ipchains is replaced by Iptables, a brand new package filtering management tool. The new version 2.6 kernel has also been improved in terms of security. Therefore, no matter which version of Linux kernel you have, no matter which version of Linux you choose to build your own enterprise network, you can use the existing system to build an ideal and practical firewall. The firewall system can be divided into three basic types: package filter, application gateway, or proxy server firewall.

The firewall software package provided by Linux is built into the Linux kernel and is a firewall Implementation Technology Based on packet filter. The central idea is to control the flow of packets based on the source address, destination address, and package type information in the network layer IP address header. The more thorough filtering is to check the source port, destination port, connection status, and other information in the package. Netfilter is a general architecture at the core of Linux and is used to expand the structured underlying services of various services. It provides a series of tables). Each table is composed of several chains, and each chain can contain one or several rules. It can be combined with other modules, such as the iptables module and the nat module, to implement the packet filtering function. Iptables is a tool for managing kernel package filtering. You can add, insert, or delete rules in the core package filtering table. In fact, Netfilter is actually used to execute these filter rules.

Hardware Platform:
① R. H linux9.0 system pc one FireWall) Three 8139 TP-LINK NICs
Eth0 (IP: 218.197.93.115)
Eth1 (IP: 192.168.1.1)
Eth2 (IP: 192.168.2.1)
② R. H linux9.0 system pc a BSERVER) A 8139 TP-LINK Nic
CIP: 192.168.1.2)

③ Notebook A dual-System windows Xp and R. H linux9.0) A 8139 Nic, Cute-ftp software set
AIP: 192.168.2.2)

④ Windows XP pc has a 8139 Nic and a set of Cute-ftp software.
BIP: 218.197.93.161)

⑤ RJ45 crossover lines
Purpose:

I. Implement the NAT Function of FireWall to allow A to access WAN218.197.93.254)

2) Enable ftp on the SERVER and make the web Service simple) so that A and B can access C normally

3. Enable Firewall

1. Intranet access to the Internet
Intranet users obviously need to access the Internet freely. In this policy, the firewall needs to convert the source address.

2. Access DMZ through the Intranet
This policy is used to facilitate Intranet users to use and manage servers in DMZ.

3. The Internet cannot access the Intranet.
Obviously, internal data is stored in the Intranet, which cannot be accessed by Internet users.

4. Access DMZ through the Internet
The servers in DMZ are designed to provide external services, so the Internet must be accessible to DMZ. At the same time, the firewall needs to convert the external address to the actual address of the server to access DMZ from the Internet.

5. DMZ cannot access the Intranet
Obviously, if this policy is violated, when the intruders break into DMZ, they can further attack important data on the Intranet.

6. DMZ cannot access the Internet
DMZ servers are used to provide external services, so the Internet must be accessible to DMZ, while the servers in DMZ do not allow active access to the Internet.

Tutorial steps:
1. Implement the routing function:
Configure eth0 first. Assign the network interface address 218.197.93.115 and run the following command:
# Ifconfig eth0 218.197.93.115 netmask 255.255.255.0
Edit the/etc/sysconfig/network-scripts/ifcfg-eth0 file to make the address disappear after the computer is no longer restarted,
DEVICE = eth0
ONBOOT = yes
BROADCAST = 218.197.93.255
NETWORK = 218.197.93.0
NETMASK = 255.255.255.0
IPADDR = 218.197.93.115
Add a static route:
# Route add-net 218.197.93.0 netmask 255.255.255.0
Next, configure eth1 and connect eth1 to the network segment 192.168.1.0. The address assigned to it is 192.168.1.1. Use the ifconfig command to configure parameters for it:
# Ifconfig eth1 192.168.1.1 netmask 255.255.255.0
Edit/etc/sysconfig/network-scripts/ifcfg-eth1 file,
DEVICE = eth1
ONBOOT = yes
BROADCAST = 192.168.1.255
NETWORK = 192.168.1.0
NETMASK = 255.255.255.0
IPADDR = 192.168.1.1
Add a static route:
# Route add-net192.168.1.0 netmask 255.255.255.0
Finally, configure eth2 to connect to the network segment 192.168.2.0 and assign the IP address 192.168.2.1. Run the following command:
# Ifconfig eth2 192.168.2.1 netmask 255.255.255.0
-5-
Edit/etc/sysconfig/network-scripts/ifcfg-eth2 File
DEVICE = eth2
ONBOOT = yes
BROADCAST = 192.168.2.255
NETWORK = 192.168.2.0
NETMASK = 255.255.255.0
IPADDR = 192.168.2.1
Add a static route:
# Route add-net 192.168.2.0 netmask 255.255.255.0
In this way, there are three static route records in the network:
# Route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
218,197.93 .115 * 255.255.255.0U 0 0 0 eth0
192.168.1.0 * 255.255.255.0U 0 0 0 eth1
192.168.2.0 * 255.255.255.0U 0 0 0 eth2
Add a default route for the system because the default route sends all data packets to the gateway at the upper level. Therefore, add the following default route records:
# Route add default gw 218.197.93.254
In this way, the system's static route table is created, and its content is
# Route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
218,197.93 .115 * 255.255.255.0U 0 0 0 eth0
192.168.1.0 * 255.255.255.0U 0 0 0 eth1
192.168.2.0 * 255.255.255.0U 0 0 0 eth2
Default218.197.93.254 0.0.0.0 UG 0 0 0 eth0

2. Enable the www and ftp services on C:
# Service httpd start
# Service vsftpd start

3. initialize settings on the firewall
◆ Firewall Initialization
# Service iptables stop
# Iptables-F
# Iptables-t nat-F
# Iptables-X
# Iptables-t nat-X
# Iptables-Z
# Iptables-t nat-Z
# Iptables-P INPUT DROP
# Iptables-P OUTPUT DROP
# Iptables-P FORWARD DROP
# Iptables-t nat-P POSTROUTING DROP
# Service iptables start
◆ In the last step, to add the system's IP forwarding function, run the following command to enable the ip forwarding function:
Echo 1>/proc/sys/net/ipv4/ip_forward
4. implement port address ing on the firewall:
◆ Allow Server A to access the WAN
Iptables-a forward-s 192.168.2.0/24-I eth2-j ACCEPT
◆ Packages from A to C are allowed
Iptables-a forward-s 192.168.2.0/24-d 192.168.1.0/24-I eth2-j ACCEPT
◆ Packets from WAN To A are not allowed
Iptables-t nat-a prerouting-s 0.0.0.0/0-d 192.168.2.0/24-I eth0-j DROP
◆ Allow the WAN to send packets with established connections and related connections internally.
Iptables-t nat-a postrouting-s 192.168.1.0/24-j SNAT -- to 218.197.93.115
◆ Allow the WAN to send packets to www and ftp servers, and forward www and ftp requests to internal www and ftp servers.
# Iptables-t nat-a prerouting-p tcp -- dport 80-d 218.197.93.115-s 0.0.0.0/0-I eth0-j DNAT -- to 192.168.1.2
# Iptables-a forward-p tcp-s 0.0.0.0/0-d 192.168.1.2-I eth0 -- dport 80-j ACCEPT
# Iptables-a forward-p tcp-d 0.0.0.0/0-s 192.168.1.2-I eth1 -- sport 80! -- Syn-j ACCEPT
# Iptables-t nat-a prerouting-p tcp -- dport 20, 21-d 218.197.93.115-s 0.0.0.0/0-I eth0-j DNAT -- to 192.168.1.2
# Iptables-a forward-p tcp-s 0.0.0.0/0-d 192.168.1.2-I eth0 -- dport 20, 21-j ACCEPT
# Iptables-a forward-p tcp-d 0.0.0.0/0-s 192.168.1.2-I eth1 -- sport 20, 21! -- Syn-j ACCEPT
# Iptables-t nat-a prerouting-s 0.0.0.0/0-d 192.168.1.0/24-I eth0-j DROP
C cannot access A and B
Iptables-a forward-s 192.168.1.0/24-d 0.0.0.0/0-I eth1-j DROP