Build a Linux firewall based on ipchains

Source: Internet
Author: User
Tags bit set
Article title: Build a Linux firewall based on ipchains. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
As we all know, Linux can be used as an excellent firewall software. Whether used in combination with a Web or FTP website or as a front-end server of an internal LAN, Linux provides the necessary tools to construct a firewall that meets the special requirements of users.
  
Built in the Linux kernel, ipchains is a basic firewall tool that rejects, accepts, and routes data packets between systems. With ipchains, coupled with the inherent low-cost advantage of the Linux operating system, Linux is undoubtedly a cheap option for LAN or CEN firewall connected to the Internet.
  
Firewall type
  
The Linux kernel defines three types of firewall communication filtering, and applies different rules to various communication modes to form a firewall with extremely broad functions. The three basic types are as follows:
  
Input Firewall: all incoming data is checked by the Input Firewall rules before it is received.
Output Firewall: all outgoing data is checked by the Output Firewall rules before being sent.
Forwarding Firewall: all forwarded data is checked by Forwarding Firewall rules before being sent.
Users can define their own rules (or "chains", that is, chains), which are equivalent to scaling up the three basic firewall rules.
  
Firewall policy
  
All three rule types and user-defined additional rules have default policies. the default policy controls how the system processes special data packets arriving at the firewall. You can either use a standard policy for any rule or transfer it to another user-defined rule for further processing. These standard policies are:
  
ACCEPT (ACCEPT): Allow data packets to pass through the firewall.
REJECT (rejection): discard the packet and send an ICMP error message to the sender of the packet. Here, ICMP refers to the Internet Control Message Protocol, that is, the Internet Control Message Protocol.
DENY: directly discards data packets and does not provide any error information to the sender.
MASQ (disguise): disguise a data packet to make it look like it is from a local system. This policy is particularly useful when Linux is used as a router.
REDIRECT (forwarding): no matter where the data packet is destined, it is forwarded to the specified port of the local system.
RETURN (RETURN): This policy is only valid for user-defined rules. it directly returns the call chain. If this policy is applied to a kernel chain, it means that the chain is detached and replaced by the default policy of this chain.
  
Construct a rule chain
  
The ipchains method for constructing rule chains is quite simple and flexible. For any chain, you can specify a series of options, including:
  
Protocol Type (TCP, UDP, ICMP, or ALL ).
Data packet source address (format: address [/mask] [port [: port]).
The destination address of the data packet (in the same format as the source address ).
Target port number (format: port [: port]).
ICMP packet type (there are many types of ICMP messages. you can specify rules to a specific type ).
The interface applied by the rule (for example, eth0 ).
There are other options to specify the priority of different TCP packets. For example, assign an FTP package a higher priority than an IRC (Internet Relay Chat) package. Another example is to provide logging for some links and set more detailed options, such as the package type and size.
  
In view of the wide variety of functions and options of ipchains, building a firewall may be simple or extremely complex, which is related to specific requirements. A simple firewall can consist of only four to five commands. a complex firewall can consist of hundreds of ipchanins commands to lock everything, only open specific services and ports as needed.
  
Building a Firewall is a very complicated task. we strongly recommend that you refer to the Linux Firewall Design Toolkit at www.linux-firewall-tools.com/linux/firewall. It provides a simple and detailed online firewall design interface, even if you are not familiar with how to use ipchains, you can use it to generate firewall scripts that can be used directly.
  
Firewall script instance
  
The following is a simple firewall script.
Ipchains-A input-I eth0-s 192.168.0.0/16-j REJECT
Ipchains-A input-d 192.168.1.5 25-j ACCEPT
Ipchains-A input-d 192.168.1.5.110-j ACCEPT
Ipchains-A input-d 192.168.0.0/16-syn-j REJECT
  
This script adds some rules to the input rule chain. The first rule means that if the source address of any data packet that reaches the external interface is dressed as from the internal network (192.168), it is discarded because someone tries to cheat. The following two rules mean to receive all the target addresses as 192.168.1.5 (this is an email server that provides SMTP service on port 25 and POP3 service on port 110 ). The last rule indicates that all other TCP connections with the SYN bit set are rejected (set the SYN bit to attempt to initialize a connection ).
  
Conclusion
  
Whether providing a firewall for a Linux server or a firewall/router for an internal LAN, ipchains can provide powerful filtering capabilities. A well-configured firewall provides invaluable security and protection. Linux has the flexibility and strength required by anyone who wants to build a firewall, and it also has its own low-cost advantages.
  

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.