Build a Linux Firewall Based on Ipchains

Source: Internet
Author: User
Build a Linux Firewall Based on Ipchains-Linux Enterprise Application-Linux server application information. The following is a detailed description. As we all know, Linux can be used as an excellent firewall software. Whether used in combination with a Web or FTP website or as a front-end server of an internal LAN, Linux provides the necessary tools to construct a firewall that meets the special requirements of users.

Built in the Linux kernel, ipchains is a basic firewall tool that rejects, accepts, and routes data packets between systems. With ipchains, coupled with the inherent low-cost advantage of the Linux operating system, Linux is undoubtedly a cheap option for LAN or CEN firewall connected to the Internet.

Firewall type

The Linux kernel defines three types of firewall communication filtering, and applies different rules to various communication modes to form a firewall with extremely broad functions. The three basic types are as follows:

Input Firewall: all incoming data is checked by the Input Firewall rules before it is received.

Output Firewall: all outgoing data is checked by the Output Firewall rules before being sent.

Forwarding Firewall: All forwarded data is checked by Forwarding Firewall rules before being sent.

Users can define their own rules (or "chains", that is, chains), which are equivalent to scaling up the three basic firewall rules.

Firewall Policy

All three rule types and user-defined additional rules have default policies. The default policy controls how the system processes special data packets arriving at the firewall. You can either use a standard policy for any rule or transfer it to another user-defined rule for further processing. These standard policies are:

ACCEPT (ACCEPT): Allow data packets to pass through the firewall.

REJECT (rejection): discard the packet and send an ICMP error message to the sender of the packet. Here, ICMP refers to the Internet Control Message Protocol, that is, the Internet Control Message Protocol.

DENY: directly discards data packets and does not provide any error information to the sender.

MASQ (disguise): disguise a data packet to make it look like it is from a local system. This policy is particularly useful when Linux is used as a router.

REDIRECT (forwarding): no matter where the data packet is destined, it is forwarded to the specified port of the local system.

RETURN (RETURN): this policy is only valid for user-defined rules. It directly returns the call chain. If this policy is applied to a kernel chain, it means that the chain is detached and replaced by the Default policy of this chain.

Construct a rule chain

The ipchains method for constructing rule chains is quite simple and flexible. For any chain, you can specify a series of options, including:

Protocol type (TCP, UDP, ICMP, or ALL ).

Data packet source address (Format: address [/mask] [port [: port]).

The destination address of the data packet (in the same format as the source address ).

Target port Number (Format: port [: port]).

ICMP packet type (there are many types of ICMP messages. You can specify rules to a specific type ).

The interface applied by the rule (for example, eth0 ).

There are other options to specify the priority of different TCP packets. For example, assign an FTP package a higher priority than an IRC (Internet Relay Chat) package. Another example is to provide logging for some links and set more detailed options, such as the package type and size.

In view of the wide variety of functions and options of ipchains, building a firewall may be simple or extremely complex, which is related to specific requirements. A Simple Firewall can consist of only four to five commands. A complex firewall can consist of hundreds of ipchanins commands to lock everything, only open specific services and ports as needed.

Building a Firewall is a very complicated task. We strongly recommend that you refer to the Linux Firewall Design Toolkit at www.linux-firewall-tools.com/linux/firewall. It provides a simple and detailed online firewall design interface, even if you are not familiar with how to use ipchains, you can use it to generate firewall scripts that can be used directly.

Firewall script instance

The following is a simple firewall script.
QUOTE:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.