Build a firewall instance using Linux + iptables

Preface using Linux + iptables as a firewall has high flexibility and stability (dude, my firewall has never been restarted since it was done), but it is troublesome to install and set it, this article aims to use firewall instances for the company to give you a general understanding of the installation and configuration of the firewall for Linux + iptables.

Preface

Use Linux +IptablesFirewall has high flexibility and stability (my brother, my firewall has never been restarted since it was done), but it is troublesome to install and set it, and it is prone to errors, this article aims to use firewall instances for the companyIptablesThere is a general understanding of firewall installation and configuration, hoping to play a leading role.

System environment and network regulation

First, let's take a look at the company's environment. The company uses the 2MADSL leased line to access the internet. China Telecom allocates a public IP address of 218.4.62.12/29 and a gateway of 218.4.62.13. The company has more than 50 computers and uses DHCP, the DHCP Server is built on iptablesServer. another company has a computer training center that uses the specified fixed IP address and IP address 192.168.20.XXX. to view the web page more quickly, we have a SquidServer, all computers browse the webpage through Squid Server, and the company also has a WEB Server + Mail Server + FtpServer. The IP address is 218.4.62.18. The above computers and servers must be deployed in the firewall. The rules are as follows:

Network wiring diagram

, IptablesServer has three NICs, and eth0 has two IP addresses, 218.4.62.14 and 218.4.62.18.

218.4.62.14 is shared internet access, 218.4.62.18 is dedicated to WEBServer, and Eth1 IP is 192 .. 168.2.9; in order to make the training center PC and the company PC do not access each other, you can directly connect the IptablesServer to Switch-B, eth2 to Switch-A, and connect the training center PC, Squid Server, and WebServer.

After the network is configured, the Server is installed. the system used by Iptables Server is Redhat Linux V7.3. When installing the server, pay attention to the firewall installation package.

IPTABLES basics

Iptables syntax:

Iptables [-t TABLE] ACTION [PATTERN] [-j TARGET]

TABLE:

Filters, nat, and mangle are available. if not specified, the default value is filtertable.

ACTION ):

ACTION description

-L Chain: display all rules in the Chain

-A Chain adds A rule to the Chain.

-D Chain: Delete a rule from the Chain.

-I Chain inserts a rule in the Chain.

-R Chain replaces a rule in the Chain.

-P Chain's preset policies for Chain

-F Chain clears all rules in the Chain

-N Chain: customizes a Chain.

-X clears all custom chains

CHAINS:

Iptables has five default Chains (rule chain), as shown in the following table:

The timing of the occurrence of Chains

After the PREROUTING packet enters the local machine, it enters the Route Table

After the INPUT data packet passes the Route Table

OUTPUT is sent by the local machine, before entering the Route Table

After FORWARD passes the Route Table, when the object is not local

After POSTROUTING passes the Route Table, it is sent to the network adapter

PATTERN (set condition ):

Parameter description

-P Protocol communication protocols, such as tcp, udp, icmp, and all...

The Source Address specified by-s Address is Address.

-D Address: the DestinationAddress is Address.

-I Interface: specify the NIC for which the data packet enters.

-O Interface: specify the Nic output by the data packet

-M Match specifies advanced options, such as mac, state, and multiport...

TARGET (common action ):

TARGET description

ACCEPT

DROP dropped data packets

RETURN directly without comparison

The application that the QUEUE sends to the User-Space to process the data packet.

SNAT nat: translation source address

DNAT nat: translation address

Dedicated for MASQUERADE nat: translation source address becomes NIC MAC

Dedicated for REDIRECT nat: a port transferred to the local machine

Use/etc/rc. d/init. d/iptablessave can generate an iptables file in/etc/sysconfig/. as you can see, it has three rows starting, each row starting with "*" corresponds to a table, and "COMMIT" indicates the end of the table. You can add the rules to the corresponding table as follows:

[Root @ jiaoyuang init. d] #. /iptablessaveSaving current rules to/etc/sysconfig/iptables: [OK] [root @ jiaoyuang init. d] # cat/etc/sysconfig/iptables

# Generated by iptables-save v1.2.4 onSat Sep 28 16:51:22 2002

* Mangle

: Prerouting accept [61522: 8074850]

: Output accept [1079: 79301]

COMMIT

# Completed on Sat Sep 28

# Generated by iptables-save v1.2.4 onSat Sep 28 16:51:22 2002

* Nat

: Prerouting accept [31850: 5091703]

: Postrouting accept [20:1240]

: Output accept [12: 776]

COMMIT

# Completed on Sat Sep 28

# Generated by iptables-save v1.2.4 onSat Sep 28 16:51:22 2002

* Filter

: Input accept [61444: 8070296]

: Forward accept [34: 1984]

: Output accept [1079: 79301]

COMMIT

Install and start IPTABLES

After RedHat LinuxV7.3 is installed, iptables is installed, but ipchains is started by default. Some of the rules you defined during installation are also defined in/etc/sysconfig/ipchains. We need to stop iptables before starting iptables (note: Although iptables can be started without stopping ipchains, iptables does not actually work at this time. Ipchains and iptables are two firewalls. you can only select one firewall ).

Service ipchains stop (stop ipchains)

Chkconfig -- level 2345 ipchains off (disable automatic startup of the ipchains system)

Chkconfig -- level 2345 iptables on (enable iptables to automatically start when the system starts)

Vi/etc/rc. d/rc. local (edit rc. local and add the following four rows to the end)

Ifconfig eth0 add 218.4.62.18 netmask?##248

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Echo "1">/proc/sys/net/ipv4/ip_forward

(The first line is to add an IP address: 218.4.62.18 to eth0, because only one IP address can be set during installation: 218.4.62.14. Ip_conntrack_ftp and ip_nat_ftp are required for iptables. The last line is to enable server IP forwarding .)

(If you add the iptables module to the kernel, the second and third lines can be omitted .)

Configure the DHCPServer so that the company PC can automatically obtain the IP address and Gateway. The Gateway is 192.168.2.9. For specific methods, see related materials. this document will not detail them.

Reboot

After the server is restarted, Iptables starts to run.

Configure IPTABLES

After having a basic understanding of iptables, we can configure our server. First, release our WEBServer and add the following two rows to the nat table in/etc/sysconfig/iptables:

-A prerouting-d 218.4.62.18-j DNAT -- to-destination 192.168.255.254

-A postrouting-s 192.168.2.254-j SNAT -- to-source 218.4.62.18

In the first action, all the packets whose destination address is 218.4.62.18 are NAT as 192.168.2.254. in the second action, all the packets whose source address is 192.168.2.254 are NAT to 218.4.62.18. Set the WEBServer gateway to 192.168.20.9.

The following describes how to enable Internet sharing by SNAT 218.4.62.14 for all the packages shared from the server:

-A postrouting-s 192.168.0.0/16-j SNAT -- to-source 218.4.62.14

Add the following rules to the filter tables in/etc/sysconfig/iptables:

-A input-p icmp-m icmp -- icmp-type 8-m limit -- limit 6/min -- limit-burst 2-j ACCEPT

-A input-p icmp-m icmp -- icmp-type 8-j REJECT -- reject-with icmp-port-unreachable

The above two lines provide a simple solution to prevent Dos attacks. you can handle various attacks accordingly.

-A input Ci eth 0 Cm state CstateESTABLISHED, RELATED Cj ACCEPT-A INPUT Ci eth0 Cj DROP

The above two rows are processed by an INPUT state firewall, which is mainly used to prevent external connections and attacks because it accepts the ESTABLISHED and RELATED states (one package is divided into NEW, ESTABLISHED, RELATED, INVALID), so it does not affect the connection from the local machine.

Since not all computers can access the Internet, we also need to restrict the computers that share the Internet:

IP address limit:

-A forward Cs 192.168.2.0/29 Cp udp cmultiport Cport 53 Cj ACCEPT

-A forward Cs 192.168.2.0/29 Cp tcp cmultiport Cport 3128,110, 25 Cj ACCEPT

-A forward Cs 192.168.255.253 CjACCEPT

192.168.2.0 ~ 192.168.2.7 and 192.168.255.253 (squidserver) computers can access the internet and send emails. 3128 is the proxyport of squid server. We use it to share the internet. 110 is pop3 and 25 is smtp. Udp 53 is the port required by DNS. However, because DHCP is used, the IP address may be different each time. Therefore, we need to use the following MAC restriction method.

MAC restrictions:

-A forward Cm mac-CmacXX: XX Cp udp Cm multiport Cport 53 Cj ACCEPT

-A forward Cm mac-CmacXX: XX Cp tcp Cm multiport Cport 3128,110, 25 CjACCEPT

The above can be controlled through the network card, but now there are a lot of computer experts, it seems not difficult to change a MAC address, what should I do? Use our third method.

MAC + IP restrictions:

Change/etc/dhcpd. conf. if The MAC is bound to the IP address:

Subnet 192.168.2.0

Netmask 255.255.255.0 {

Range 192.168.2.30 192.168.2.230;

Option broadcast-address192.168.2.255;

Option routers 192.168.2.9;

Option domain-name-servers212.132.16.163;

Host meeting-room {

Hardware ethernet00: 50: ba: c8: 4b: 3a;

Fixed-address 192.168.2.35;

}}

Change our Iptables to: 0.

-A forward Cs 192.168.2.35 Cm mac-CmacXX: XX Cp udp Cm multiport Cport 53 Cj ACCEPT

-A forward Cs 192.168.2.35 Cm mac-CmacXX: XX Cp tcp Cm multiport Cport 3128,110, 25 CjACCEPT

After doing so, the experts could not do anything, but there is a MM in the company that is the GF of the TV station. I want to chat with her at work to cultivate my feelings. what should I do? We know that QQ uses udp port 4000, which is, if occupied... Then it is as follows:

-A forward Cs 192.168.2.35 Cm mac-CmacXX: XX Cp udp Cm multiport Cport53, 4000,4001, 4002,4003, 4004,4005 Cj ACCEPT

-A forward Cs 192.168.2.35 Cm mac-CmacXX: XX Cp tcp Cm multiport Cport 3128,110, 25 CjACCEPT

Add the following sentence:

-A forward Cs 192.168.0.0/16 Cj DROP

Since all the above operations should be enabled, they are not allowed in the end. Well, this is a success.

Summary

There is no absolutely secure firewall in the world, and security is always relative. The idea of configuring iptables is to first ACCEPT and then DROP. Another way to share the internet is to use the iptablesserver Owner. However, because linux does not have the same authentication mode as win2k, it is difficult to verify the owner. I am testing, but there is no better solution yet. if any of you can solve the problem, please Mail the younger brother. I would be very grateful to the younger brother. It is worth noting that when performing NAT, the client gateway must be the IP address of iptagles.

If there is any error in this article, please let me know

Build a firewall instance using Linux + iptables

I wrote an article early on. I hope it will be helpful to you :)

Build a firewall instance using Linux + iptables

Author: a Hui (huimail@21cn.com)

Preface

Using Linux + iptables as a firewall has high flexibility and stability (dude, my firewall has never been restarted since it was done), but it is troublesome to install and set it, and it is prone to errors, this article aims to use firewall instances for the company to give you a general understanding of the installation and configuration of the firewall for Linux + iptables, hoping to play a role in attracting others.

System environment and network regulation

First, let's take a look at the company's environment. The company uses the 2MADSL leased line to access the internet. China Telecom allocates a public IP address of 218.4.62.12/29 and a gateway of 218.4.62.13. The company has more than 50 computers and uses DHCP, the DHCP Server is built on iptablesServer. another company has a computer training center that uses the specified fixed IP address and IP address 192.168.20.XXX. to view the web page more quickly, we have a SquidServer, all computers browse the webpage through Squid Server, and the company also has a WEB Server + Mail Server + FtpServer. The IP address is 218.4.62.18. The above computers and servers must be deployed in the firewall. The rules are as follows:

Network wiring diagram

, IptablesServer has three NICs, and eth0 has two IP addresses, 218.4.62.14 and 218.4.62.18.

218.4.62.14 is shared internet access, 218.4.62.18 is dedicated to WEBServer, and Eth1 IP is 192 .. 168.2.9; in order to make the training center PC and the company PC do not access each other, you can directly connect the IptablesServer to Switch-B, eth2 to Switch-A, and connect the training center PC, Squid Server, and WebServer.

After the network is configured, the Server is installed. the system used by Iptables Server is Redhat Linux V7.3. When installing the server, pay attention to the firewall installation package.

IPTABLES basics

Iptables syntax:

Iptables [-t TABLE] ACTION [PATTERN] [-j TARGET]

TABLE:

Filters, nat, and mangle are available. if not specified, the default value is filtertable.

ACTION ):

ACTION description

-L Chain: display all rules in the Chain

-A Chain adds A rule to the Chain.

-D Chain: Delete a rule from the Chain.

-I Chain inserts a rule in the Chain.

-R Chain replaces a rule in the Chain.

-P Chain's preset policies for Chain

-F Chain clears all rules in the Chain

-N Chain: customizes a Chain.

-X clears all custom chains

CHAINS:

Iptables has five default Chains (rule chain), as shown in the following table:

The timing of the occurrence of Chains

After the PREROUTING packet enters the local machine, it enters the Route Table

After the INPUT data packet passes the Route Table

OUTPUT is sent by the local machine, before entering the Route Table

After FORWARD passes the Route Table, when the object is not local

After POSTROUTING passes the Route Table, it is sent to the network adapter

PATTERN (set condition ):

Parameter description

-P Protocol communication protocols, such as tcp, udp, icmp, and all...

The Source Address specified by-s Address is Address.

-D Address: the DestinationAddress is Address.

-I Interface: specify the NIC for which the data packet enters.

-O Interface: specify the Nic output by the data packet

-M Match specifies advanced options, such as mac, state, and multiport...

TARGET (common action ):

TARGET description

ACCEPT

DROP dropped data packets

RETURN directly without comparison

The application that the QUEUE sends to the User-Space to process the data packet.

SNAT nat: translation source address

DNAT nat: translation address

Dedicated for MASQUERADE nat: translation source address becomes NIC MAC

Dedicated for REDIRECT nat: a port transferred to the local machine

Use/etc/rc. d/init. d/iptablessave can generate an iptables file in/etc/sysconfig/. as you can see, it has three rows starting, each row starting with "*" corresponds to a table, and "COMMIT" indicates the end of the table. You can add the rules to the corresponding table as follows:

[Root @ jiaoyuang init. d] #. /iptablessaveSaving current rules to/etc/sysconfig/iptables: [OK] [root @ jiaoyuang init. d] # cat/etc/sysconfig/iptables

# Generated by iptables-save v1.2.4 onSat Sep 28 16:51:22 2002

* Mangle

: Prerouting accept [61522: 8074850]

: Output accept [1079: 79301]

COMMIT

# Completed on Sat Sep 28

# Generated by iptables-save v1.2.4 onSat Sep 28 16:51:22 2002

* Nat

: Prerouting accept [31850: 5091703]

: Postrouting accept [20:1240]

: Output accept [12: 776]

COMMIT

# Completed on Sat Sep 28

# Generated by iptables-save v1.2.4 onSat Sep 28 16:51:22 2002

* Filter

: Input accept [61444: 8070296]

: Forward accept [34: 1984]

: Output accept [1079: 79301]

COMMIT

Install and start IPTABLES

After RedHat LinuxV7.3 is installed, iptables is installed, but ipchains is started by default. Some of the rules you defined during installation are also defined in/etc/sysconfig/ipchains. We need to stop iptables before starting iptables (note: Although iptables can be started without stopping ipchains, iptables does not actually work at this time. Ipchains and iptables are two firewalls. you can only select one firewall ).

Service ipchains stop (stop ipchains)

Chkconfig -- level 2345 ipchains off (disable automatic startup of the ipchains system)

Chkconfig -- level 2345 iptables on (enable iptables to automatically start when the system starts)

Vi/etc/rc. d/rc. local (edit rc. local and add the following four rows to the end)

Ifconfig eth0 add 218.4.62.18 netmask?##248

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Echo "1">/proc/sys/net/ipv4/ip_forward

(The first line is to add an IP address: 218.4.62.18 to eth0, because only one IP address can be set during installation: 218.4.62.14. Ip_conntrack_ftp and ip_nat_ftp are required for iptables. The last line is to enable server IP forwarding .)

(If you add the iptables module to the kernel, the second and third lines can be omitted .)

Configure the DHCPServer so that the company PC can automatically obtain the IP address and Gateway. The Gateway is 192.168.2.9. For specific methods, see related materials. this document will not detail them.

Reboot

After the server is restarted, Iptables starts to run.

Configure IPTABLES

After having a basic understanding of iptables, we can configure our server. First, release our WEBServer and add the following two rows to the nat table in/etc/sysconfig/iptables:

-A prerouting-d 218.4.62.18-j DNAT -- to-destination 192.168.255.254

-A postrouting-s 192.168.2.254-j SNAT -- to-source 218.4.62.18

In the first action, all the packets whose destination address is 218.4.62.18 are NAT as 192.168.2.254. in the second action, all the packets whose source address is 192.168.2.254 are NAT to 218.4.62.18. Set the WEBServer gateway to 192.168.20.9.

The following describes how to enable Internet sharing by SNAT 218.4.62.14 for all the packages shared from the server:

-A postrouting-s 192.168.0.0/16-j SNAT -- to-source 218.4.62.14

Add the following rules to the filter tables in/etc/sysconfig/iptables:

-A input-p icmp-m icmp -- icmp-type 8-m limit -- limit 6/min -- limit-burst 2-j ACCEPT

-A input-p icmp-m icmp -- icmp-type 8-j REJECT -- reject-with icmp-port-unreachable

The above two lines provide a simple solution to prevent Dos attacks. you can handle various attacks accordingly.

-A input Ci eth 0 Cm state Cstate