Build a Linux Firewall and set a firewall for individual users (1)

What is Linux firewall?

For systems on the Internet, no matter what the situation is, we must first make it clear that the network is insecure. Therefore, although creating a firewall does not guarantee 100% system security, it is absolutely necessary. Like anything else in society, the Internet is often disturbed by boring or ulterior motives. The purpose of the firewall is to block such people out of your network, at the same time, you can still complete your work.
So what kind of Linux firewall system is safe enough? This is a difficult question to answer, because different application environments have different security requirements. Answer this question in a more appropriate and simple sentence: users understand their Linux systems and settings, and can well protect the security of their data and confidential files, this is an adequate security for the computer user.
So what is a firewall? A firewall is a system or a group of systems that execute access control policies between networks. The actual implementation of the firewall is different, but in principle, the firewall can be considered as a pair of mechanisms: one mechanism is to block the transmission of traffic, another mechanism is to allow transmission to flow through.
Some firewalls tend to block the passage of transmission streams, while others tend to allow transmission flow. The most important concept about firewall is that it implements an access control policy.
In general, the firewall is configured to prevent unauthorized interactive login from the "external" world. This greatly helps prevent the attacker from logging on to a computer on your network. Some well-designed firewalls can prevent external transmission streams from entering the interior, but allow internal users to freely communicate with the outside. If you cut off the firewall, it can protect you from any type of attacks on the network.
Another important feature of the firewall is that it can provide a separate "blocking point" and set security and audit checks on "blocking points. Unlike the situation where computer systems are being attacked by someone who uses a modem to dial in, the firewall can play an effective "phone monitoring" and tracking tool. The firewall provides an important record and audit function. They can often provide administrators with information about the types and quantities of transmission streams through the firewall, and how many attempts to break into the firewall.

Balance between two types of firewalls
There are two types of firewalls: Network-level firewalls and application-level firewalls. The difference between the two types of firewalls is not as big as you think. The latest technology blur the difference between the two, making the difference "better" or "worse" no longer so obvious.
Network-level firewalls generally make decisions based on the source and target addresses and enter a single IP packet. A simple router is a "traditional" network-level firewall, because it cannot make complicated decisions and cannot determine the actual meaning of a package or the actual source of a package. Modern Network-level firewalls have become more and more complex and can maintain the access status and some data flow contents.
An important difference between many network-level firewalls is that firewalls can directly pass transmission streams. Therefore, to use such firewalls, you usually need to allocate valid IP address blocks. Network-level firewalls are generally fast and transparent to users.
An application-level firewall is generally a host running a proxy server. It does not allow direct transmission of transmission streams between networks, and records and audits the transmission streams. Because proxy applications are software components running on firewalls, they are ideal for implementing records and access control.
The application-level firewall can be used as a network address translator, because the transmission flow effectively shields the application from accessing the original address, and then comes in from one side and goes out from the other side.
In some cases, when an application-level firewall is set, it may affect the performance and make the firewall less transparent. Early application-level firewalls were not very transparent to end users and needed to be trained. Application-level firewalls generally provide more detailed audit reports, which are more conservative than network-level firewalls.
The future position of the firewall should be somewhere between the network-level firewall and the application-level firewall. Network-level firewalls may increasingly "understand" their information, while application-level firewalls may become more "low-level" and transparent. The final result will be a quick packet shielding system that can record and audit passed data streams.

Linux provides us with an excellent firewall tool, netfilter/iptables (http: // www.netfilter.org /). It is completely free and can run well on a low-configuration old machine. Netfilter/iptables is powerful and flexible, and can be used to precisely control inbound and outbound information.
In fact, each major Linux version has different firewall software suites. The Iptabels (netfilter) application is considered to be the fourth-generation application in Linux that implements the packet forwarding function. The first generation is the ipfw transplanted from BSD Unix by Alan Cox, used in Linux kernel 1.1.
In the kernel of Version 2.0, Jos Vos and some other programmers have extended ipfw and added ipfwadm user tools. In the 2.2 kernel, Russell and Michael Neuling made some important improvements, that is, in this kernel, Russell added ipchains to help users control excessive rules. Then Russell completed its kernel framework named netfilter (http://www.netfilter.org. These firewall software suites are generally improved from their predecessors and are becoming more and more outstanding.
Netfilter/iptables is included in the kernel after 2.4. It can implement functions such as firewall, NAT (Network Address Translation), and data packet splitting. Netfilter works inside the kernel, while iptables allows you to define the table structure of the rule set. Netfilter/iptables evolved from ipchains and ipwadfm (IP firewall management). For the sake of simplicity, I will name it iptables.
Other good uses of iptables are to create a firewall for Unix, Linux, and BSD workstations. Of course, you can also create a firewall for a subnet to protect other system platforms. Iptables only reads the packet header, so it does not burden the information flow and does not require verification. For better security, you can combine it with a proxy server (such as squid.

Concepts and usage of iptable

A typical firewall configuration includes two NICs, One inbound and the other outbound. Iptables reads the headers of inbound and outbound packets, compares them with the planning set, and forwards acceptable packets from one network adapter to another. Rejected data packets can be discarded or processed as defined.
You can control the filtering of information packets by providing rules to the firewall about instructions to be performed on information packets from a source, to a destination, or with a specific protocol type. Use the Special Command iptables provided by the iptables system to create these rules and add them to the chain in the specific information package filtering table of the kernel space. The general syntax for adding, removing, and editing rules is as follows:

iptables [-t table] command [match] [target]

In reality, we generally use this syntax to make it easier to read. Most rules are written in this syntax. Therefore, if you see rules written by others, you may find that this syntax is also used.
If you do not want to use a standard table, you must specify the table name in [table. Generally, you do not need to specify the table to use, because iptables uses the filter table by default to execute all the commands. There is no need to specify the table name here. In fact, you can specify the table name almost anywhere in the rule. Of course, putting the table name at the beginning is already a common standard. Although the command is always placed at the beginning or directly behind the table name, we should also consider where it is easy to read.
"Command" tells the program what to do, such as inserting a rule, adding a rule at the end of the chain, or deleting a rule. The following is a detailed description.
"Match" describes a specific feature of a package in detail to distinguish it from all other packages. Here, we can specify the package's source IP address, network interface, port, protocol type, or something else. Below we will see many different matches.
Finally, the target of the data packet is "target ". If the packet matches all the matches, the kernel uses the target to process it, or sends the packet to the target. For example, we can let the kernel send the package to other links in the current table, which may be created by ourselves), or discard the package without any processing, or return a special response to the sender. Next we will discuss these options one by one:

The [-t table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table. The following describes the functions of each table.
Filter
The filter table is used to filter data packets. We can match and filter packets at any time. Here, we will DROP or ACCEPT the package based on the package content. Of course, we can also do some filtering in advance in other places, but this table is designed for filtering. Almost all targets can be used here.
Nat
Nat table is mainly used for Network Address Translation, that is, Network Address Translation, abbreviated as NAT. The address of the data packet that has done NAT operations is changed. Of course, this change is based on our rules. The package that belongs to a stream will only pass through this table once.
If the first package is allowed for NAT or Masqueraded, the remaining packages will be automatically operated the same way. That is to say, the rest of the packages will not be automatically completed through this table and will be NAT one by one. This is the main reason why we should not filter this table. The role of the PREROUTING chain is to change the destination address of a package when it reaches the firewall, if necessary. The OUTPUT chain changes the destination address of the locally generated package.
POSTROUTING chain changes its source address before the package leaves the firewall. This table is only used for NAT, that is, the source or target address of the conversion package. Note that only the first package of the stream will be matched by this link, and the subsequent package will be automatically processed in the same way. The actual operations are divided into the following types:
◆ DNAT
◆ SNAT
◆ MASQUERADE
DNAT operations are mainly used in such a situation. You have a valid IP address, and you need to redirect access to the firewall to another machine, such as DMZ ). That is to say, we changed the destination address so that the packet can be rerouted to a host.
SNAT changes the source address of the package, which can greatly hide your local network or DMZ. A good example is that we know the external address of the firewall, but we must replace the local network address with this address. With this operation, the firewall can automatically perform SNAT and De-SNAT (reverse SNAT) on the packet so that the LAN can be connected to the Internet.
If you use an address like 192.168.0.0/24, you will not receive any response from the Internet. Because IANA defines other networks) as private and can only be used within the LAN.
The role of MASQUERADE is exactly the same as that of MASQUERADE, but the computer load is a little more. For each matching packet, MASQUERADE needs to find available IP addresses, unlike the IP addresses used by SNAT. Of course, this also has the advantage that we can use addresses obtained through dialing such as PPP, PPPOE, and SLIP. These addresses are randomly allocated by the ISP's DHCP.

Mangle
This table is mainly used for mangle data packets. We can change the content of different packages and headers, such as TTL, TOS, or MARK. Note that MARK does not actually change the data packet. It only sets a flag for the package in the kernel space. Other rules or programs in the firewall, such as tc, can use this flag to filter packets or perform advanced routing. This table has five built-in links: PREROUTING, POSTROUTING, OUTPUT, INPUT, and FORWARD.
PREROUTING changes the packet after the packet enters the firewall and before the route judgment. POSTROUTING is performed after all the routes are determined. OUTPUT changes the data packet before determining the target of the package. After the INPUT package is routed to the local device, the package is changed before the user space program sees it. Note: the mangle table cannot be used for any NAT. It only changes the TTL, TOS, or MARK of the data packet, rather than the source destination address. NAT is operated in the nat table. The following are the only operations in the mangle table:
◆ TOS
◆ TTL
◆ MARK
The TOS operation is used to set or change the service type domain of data packets. This is often used to set policies such as how packets on the network are routed. Note that this operation is not complete, and sometimes it is not desirable. It is not available on the Internet, and many routers do not notice this domain value. In other words, do not set packets sent to the Internet unless you plan to rely on TOS for routing, such as using iproute2.
The TTL operation is used to change the TTL of a data packet. We can make all data packets have only one special TTL. There is a good reason for its existence, that is, we can cheat some ISPs. Why cheat them? Because they don't want us to share a connection.
The ISPs will look for whether a single computer uses different TTL values and use these to determine whether the connection is shared.
MARK is used to set a special MARK for the package. Iproute2 can identify these tags and decide different routes based on different or no tags. We can use these tags for bandwidth restrictions and request-based classification.
Command)
Command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules.
When iptables is used, if the required parameters are not input, press Enter. Then, it will provide some prompts to tell you which parameters are required. Iptables option-v is used to display the version of iptables.-h provides a brief description of the syntax.
Match)
The optional match part of the iptables command specifies the characteristics of information packets matching rules, such as source and destination addresses, and protocols ). They can be classified into five categories: the first category is the general match of generic matches), which applies to all rules. The second category is TCP matches, which can only be used for TCP packets as the name suggests; the third type is UDP matches. Of course, it can only be used in UDP packets. The fourth type is ICMP matches, which is for ICMP packets. The fifth type is special and is for status, the frequency limit of the owner and access. Here, we will only introduce general-purpose matching. If you are familiar with general-purpose matching, it is easier to understand other types of matching.