Build a firewall instance using Linux + iptables

Preface

Using Linux + iptables as a firewall has high flexibility and stability (dude, my firewall has never been restarted since it was done), but it is troublesome to install and set it, this article aims to use firewall instances for the company to give you a general understanding of the installation and configuration of the firewall for Linux + iptables, hope to play the role of throwing bricks and tiles.

System Environment and network regulation

First, let's take a look at the company's environment. The company uses a 2 m ADSL leased line to access the Internet. China Telecom allocates a public IP address of 218.4.62.12/29 and a gateway of 218.4.62.13. The company has more than 50 computers and uses DHCP, the IP address is 192.168.2.xxx, And the DHCP server is built on the iptables server. Another company has a computer training center that uses the specified fixed IP address and the IP address is 192.168.20.xxx. To view the web page more quickly, we have a squid server. All computers browse the webpage through squid server. The company also has a Web server + mail server + FTP server. The IP address is 218.4.62.18. The above computers and servers must be deployed in the firewall. The rules are as follows:

Network wiring diagram
The iptables server has three NICs, and eth0 has two IP addresses, 218.4.62.14 and 218.4.62.18.
218.4.62.14 is shared Internet access, 218.4.62.18 is dedicated to Web server, and eth1 IP is 192 .. 168.2.9; in order to make the Training Center PC and the company PC do not access each other, the Training Center Server is directly connected to switch-B, eth2 is connected to switch-A, and the Training Center PC and squid server are connected, web server.
After the network is configured, the server is installed. The system used by iptables server is RedHat Linux v7.3. When installing the server, pay attention to the firewall installation package.

Iptables Basics

Iptables Syntax:
Iptables [-T table] action [pattern] [-J target]
Table:

Filters, Nat, and mangle are available. If not specified, the default value is filter table.

Action ):

Action Description
-L chain: Display All rules in the chain
-A chain adds a rule to the chain.
-D chain: delete a rule from the chain.
-I chain inserts a rule in the chain.
-R chain replaces a rule in the chain.
-P chain's preset policies for Chain
-F chain clears all rules in the chain
-N chain: customizes a chain.
-X clears all custom chains

Chains:

Iptables has five default chains (Rule chain), as shown in the following table:

The timing of the occurrence of chains
After the prerouting packet enters the local machine, it enters the route table
After the input data packet passes the route table
Output is sent by the local machine, before entering the route table
After forward passes the route table, when the object is not local
After postrouting passes the route table, it is sent to the network adapter

Pattern (Set condition ):

Parameter description
-P protocol communication protocols, such as TCP, UDP, ICMP, and all...
The source address specified by-s address is address.
-D address: the destination address specified is address.
-I interface: Specify the NIC for which the data packet enters.
-O interface: Specify the NIC output by the data packet
-M match specifies advanced options, such as MAC, State, and multiport...

Target (Common Action ):

Target description
Accept
Drop dropped data packets
Return directly without comparison
The application that the queue sends to the user-space to process the data packet.
Snat nat: Translation Source Address
Dnat nat: Translation address
Dedicated for masquerade NAT: Translation source address becomes Nic Mac
Dedicated for redirect NAT: A port transferred to the Local Machine

Use/etc/rc. d/init. d/iptables save can generate an iptables file in/etc/sysconfig/. You can see that it has three rows starting, each row starting with "*" corresponds to a table, and "commit" indicates the end of the table. You can add the rules to the corresponding table as follows:

[Root @ jiaoyuang init. d] #. /iptables savesaving current rules to/etc/sysconfig/iptables: [OK] [root @ jiaoyuang init. d] # Cat/etc/sysconfig/iptables
# Generated by iptables-save v1.2.4 on Sat Sep 28 16:51:22 2002
* Mangle
: Prerouting accept [61522: 8074850]
: Output accept [1079: 79301]
Commit
# Completed on Sat Sep 28 16:51:22 2002
# Generated by iptables-save v1.2.4 on Sat Sep 28 16:51:22 2002
* Nat
: Prerouting accept [31850: 5091703]
: Postrouting accept [20:1240]
: Output accept [12: 776]
Commit
# Completed on Sat Sep 28 16:51:22 2002
# Generated by iptables-save v1.2.4 on Sat Sep 28 16:51:22 2002
* Filter
: Input accept [61444: 8070296]
: Forward accept [34: 1984]
: Output accept [1079: 79301]
Commit

Install and start iptables

After RedHat Linux v7.3 is installed, iptables is installed, but ipchains is started by default. Some of the rules you defined during installation are also defined in/etc/sysconfig/ipchains. We need to stop iptables before starting iptables (Note: Although iptables can be started without stopping ipchains, iptables does not actually work at this time. Ipchains and iptables are two firewalls. You can only select one firewall ).

Service ipchains stop (stop ipchains)
Chkconfig -- level 2345 ipchains off (Disable Automatic startup of the ipchains System)
Chkconfig -- level 2345 iptables on (enable iptables to automatically start when the system starts)
VI/etc/rc. d/rc. Local (edit RC. Local and add the following four rows to the end)

Ifconfig eth0 add 218.4.62.18 netmask quota limit 248
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Echo "1">/proc/sys/NET/IPv4/ip_forward

(The first line is to add an IP address: 218.4.62.18 to eth0, because only one IP address can be set during installation: 218.4.62.14. Ip_conntrack_ftp and ip_nat_ftp are required for iptables. The last line is to enable Server IP Forwarding .)
(If you add the iptables module to the kernel, the second and third lines can be omitted .)
Configure the DHCP server so that the company PC can automatically obtain the IP address and gateway. The Gateway is 192.168.2.9. For specific methods, see related materials. This document will not detail them.

Reboot

After the server is restarted, iptables starts to run.

Configure iptables

After having a basic understanding of iptables, We can configure our server. First, release our web server and add the following two rows to the NAT table in/etc/sysconfig/iptables:

-A prerouting-D 218.4.62.18-j dnat -- to-destination 192.168.255.254
-A postrouting-s 192.168.2.254-j snat -- to-source 218.4.62.18

In the first action, all the packets whose destination address is 218.4.62.18 are Nat as 192.168.2.254. In the second action, all the packets whose source address is 192.168.2.254 are Nat to 218.4.62.18. Set the Web Server Gateway to 192.168.20.9.

The following describes how to enable Internet sharing by SNAT 218.4.62.14 for all the packages shared from the server:

-A postrouting-s 192.168.0.0/16-j snat -- to-source 218.4.62.14

Add the following rules to the filter tables in/etc/sysconfig/iptables:

-A input-p icmp-m icmp -- ICMP-type 8-m limit -- limit 6/min -- limit-burst 2-J accept
-A input-p icmp-m icmp -- ICMP-type 8-J reject -- reject-with ICMP-Port-unreachable

The above two lines provide a simple solution to prevent DoS attacks. You can handle various attacks accordingly.

-A input-I eth0-M State-State established, related-J ACCEPT-A input-I eth0-J Drop

The above two rows are processed by an input state firewall, which is mainly used to prevent external connections and attacks because it accepts the established and related States (one package is divided into new, established, related, invalid), so it does not affect the connection from the local machine.

Since not all computers can access the Internet, we also need to restrict the computers that share the Internet:

IP address limit:
-A forward-s 192.168.2.0/29-p udp-M multiport-port 53-J accept
-A forward-s 192.168.2.0/29-p tcp-M multiport-port 3128,110, 25-J accept
-A forward-s 192.168.255.253-J accept
192.168.2.0 ~ 192.168.2.7 and 192.168.255.253 (SQUID server) computers can access the Internet and send emails. 3128 is the proxy port of squid server. We use it to share the Internet. 110 is POP3 and 25 is SMTP. UDP 53 is the port required by DNS. However, because DHCP is used, the IP address may be different each time. Therefore, we need to use the following MAC restriction method.

Mac restrictions:
-A forward-M Mac -- Mac XX: XX-p udp-M multiport-port 53-J accept
-A forward-M Mac -- Mac XX: XX-p tcp-M multiport-port 3128,110, 25-J accept
The above can be controlled through the network card, but now there are a lot of computer experts, it seems not difficult to change a MAC address, what should I do? Use our third method.

Mac + IP restrictions:
Change/etc/DHCPD. conf. If the Mac is bound to the IP Address:
Subnet 192.168.2.0
Netmask 255.255.255.0 {
Range 192.168.2.30 192.168.2.230;
Option broadcast-address 192.168.2.255;
Option routers 192.168.2.9;
Option domain-name-servers 212.132.16.163;
Host meeting-room {
Hardware Ethernet 00: 50: BA: C8: 4b: 3A;
Fixed-address 192.168.2.35;
}}
Change our iptables to: 0.
-A forward-s 192.168.2.35-M Mac -- Mac XX: XX-p udp-M multiport-port 53-J accept
-A forward-s 192.168.2.35-M Mac -- Mac XX: XX-p tcp-M multiport-port 3128,110, 25-J accept
After doing so, the experts could not do anything, but there is a mm in the company that is the GF of the TV station. I want to chat with her at work to cultivate my feelings. What should I do? We know that QQ uses UDP port 4000, which is, if occupied... Then it is as follows:
-A forward-s 192.168.2.35-M Mac -- Mac XX: XX-p udp-M multiport-port 53,4000, 4001,4002, 4003,4004, 4005-J accept
-A forward-s 192.168.2.35-M Mac -- Mac XX: XX-p tcp-M multiport-port 3128,110, 25-J accept

Add the following sentence:

-A forward-s 192.168.0.0/16-J Drop

Since all the above operations should be enabled, they are not allowed in the end. Well, this is a success.

Summary

There is no absolutely secure firewall in the world, and security is always relative. The idea of configuring iptables is to first accept and then drop. Another way to share the Internet is to use the owner of the iptables server. However, because Linux does not have the same Authentication mode as Win2k, it is difficult to verify the owner. I am testing, but there is no better solution yet. If any of you can solve this problem, please mail your younger brother. I would be very grateful to you. It is worth noting that when performing Nat, the client gateway must be the IP address of iptagles.
If there is any error in this article, please let me know.