Build DMZ with Linux Firewall

The importance of defense in network security is needless to say. The most common way to protect a network is to use a firewall. As the first line of defense of the network, the firewall is usually placed between the Internet and the network to be protected. The simplest case is to place the firewall directly between the Internet and the enterprise network, and all the data traffic flowing into the enterprise network will go through the firewall, all clients and servers of an enterprise are protected by the firewall. This is simple for some small and medium-sized enterprises, and this solution also performs well in some cases. However, this structure is simple after all. Many servers, clients, and other resources in an enterprise need to be protected. Different resources have different security requirements. The security level of the client cannot be used to treat the server, so the server will be very dangerous. Similarly, the security level of the server cannot be used to treat the client, which makes the user feel inconvenient.

To provide different security levels for different resources, you can consider building a region called "Demilitarized Zone" DMZ. DMZ can be understood as a special network area different from the Internet or intranet. DMZ usually stores some public servers without confidential information, such as Web, Mail, and FTP. In this way, visitors from the Internet can access services in DMZ, but they cannot access company secrets or private information stored in the intranet. Even if the DMZ server is damaged, the confidential information in the Intranet is not affected.

Many firewall products provide DMZ interfaces. Hardware firewalls use dedicated hardware chips, so they have absolute advantages in performance and traffic. The cost-effectiveness of the software firewall is very good, and the general use of the enterprise is good. If you use the Linux firewall, the cost will be lower. Therefore, we will introduce how to divide the DMZ area on the Linux firewall.

Build DMZ policies

Linux uses iptables to replace ipfwadm and ipchains from the 2.4 kernel to implement the packet filtering function for Linux management. Linux package filtering is implemented through a kernel component called netfilter. Netfilter has three built-in tables. The default table Filter contains three rule chains, they are the INPUT chain responsible for data filtering from external network interfaces, the OUTPUT chain responsible for filtering the data OUTPUT from the network interfaces, and the FORWARD chain responsible for data filtering between network interfaces. To build a firewall with DMZ, you need to use the settings of these chains. First, you need to judge the inbound data from the NIC (eth0) connected to the external network, which is completed on the INPUT chain. If the target data address belongs to the DMZ network segment, the data will be forwarded to the network adapter eth1 connected to the DMZ network); if it is an internal network address, it is necessary to forward the data to the network adapter eth2 connected to the internal network. Table 1 shows the access relationships between networks.

Table 1 inter-network access relationship

Intranet and Internet DMZ
Intranet/Y
Internet N/Y
Dmz n/

According to table 1, the following six access control policies can be clarified.

1. Intranet access to the Internet
Intranet users obviously need to access the Internet freely. In this policy, the firewall needs to convert the source address.

2. Access DMZ through the Intranet
This policy is used to facilitate Intranet users to use and manage servers in DMZ.

3. The Internet cannot access the Intranet.
Obviously, internal company data is stored in the Intranet, which cannot be accessed by Internet users.

4. Access DMZ through the Internet
The servers in DMZ are designed to provide external services, so the Internet must be accessible to DMZ. At the same time, the firewall needs to convert the external address to the actual address of the server to access DMZ from the Internet.

5. DMZ cannot access the Intranet
Obviously, if this policy is violated, when the intruders break into DMZ, they can further attack important data on the Intranet.

6. DMZ cannot access the Internet
This policy also has exceptions. For example, when you place an email server in DMZ, you need to access the Internet; otherwise, it will not work properly.

Implementation of DMZ

You can set filtering rules for the Linux Firewall Based on the above access control policies. In a fictitious network environment, we will discuss how to establish firewall filtering rules based on the above six access control policies. The discussion here is different from the specific application, but this discussion will help the actual application. You can set the parameters based on your actual application. Network Topology 1 of the virtual environment.

Figure 1 DMZ Network Topology

1,VroConnect to the Internet and the firewall. The Linux server used as the Firewall uses three NICs: eth0 andVroThe network adapter eth1 is connected to the Hub in the DMZ area, and the network adapter eth2 is connected to the Intranet Hub. As an abstract example, we use "[Intranet address]" to represent specific values such as "192.168.1.0/24. Likewise, there are "[Internet address]" and "[DMZ address]".

One principle of firewall is to disable all data communication by default and enable necessary communication. Therefore, at the beginning of the firewall script, you need to clear the original rules of the system, and then set the default rules of INPUT, OUTPUT, and FORWARD to discard all data packets.

The corresponding firewall script snippet is as follows: # Flush out the tables and delete all user-defined chains
/Sbin/iptables-F
/Sbin/iptables-X
/Sbin/iptables-t nat-F
/Sbin/iptables-t nat-X

# Drop every packet
/Sbin/iptables-P INPUT DROP
/Sbin/iptables-P OUTPUT DROP
/Sbin/iptables-P FORWARD DROP

Implementation of six policies.

1. Intranet access to the Internet
The corresponding firewall script snippets are as follows:
/Sbin/iptables-t nat-a postrouting-s [Intranet address]-d [Internet address]-o eth0-j SNAT -- to [NAT real IP address]

When the data flows out from the eth0 connected to the Internet, you must change the source address of the data packet from the Intranet to the real IP address on the Internet to communicate with the hosts on the Internet. "[NAT real IP address]" indicates the real IP address assigned to the NAT user. If there are a few, write a few. Separate them with spaces, but at least write one.

2. Access DMZ through the Intranet
The corresponding firewall script snippets are as follows:
/Sbin/iptables-a forward-s [Intranet address]-d [DMZ address]-I eth2-j ACCEPT
The preceding command allows all data packets destined for DMZ to pass through the Intranet.

3. The Internet cannot access the Intranet.
The corresponding firewall script snippets are as follows:
/Sbin/iptables-t nat-a prerouting-s [Internet address]-d [Intranet address]-I eth0-j DROP
The preceding command discards all data packets from the Internet and from the Intranet.

4. Access DMZ through the Internet
To protect the servers in DMZ, access to DMZ from the Internet must also be restricted. The general idea is to allow only Internet access to the specific services provided by servers in DMZ, such as HTTP.
The corresponding firewall script snippets are as follows:
/Sbin/iptables-t nat-a prerouting-p tcp -- dport 80-d [real IP address on the Internet allocated to the HTTP server]-s [Internet address]-I eth0- j DNAT -- to [actual IP address of the HTTP server]
/Sbin/iptables-a forward-p tcp-s [Internet address]-d [actual HTTP Server IP address]-I eth0 -- dport 80-j ACCEPT
/Sbin/iptables-a forward-p tcp-d [Internet address]-s [actual HTTP Server IP address]-I eth1 -- sport 80! -- Syn-j ACCEPT
/Sbin/iptables-t nat-a prerouting-s [Internet address]-d [DMZ address]-I eth0-j DROP

This firewall script segment will open the HTTP service so that only data packets that access the HTTP service in DMZ can pass through the firewall.

5. DMZ cannot access the Intranet
The corresponding firewall script snippets are as follows:
/Sbin/iptables-a forward-s [DMZ address]-d [Intranet address]-I eth1-j DROP
The preceding command discards all data packets from DMZ to the Intranet.

6. DMZ cannot access the Internet
The corresponding firewall script snippets are as follows:
/Sbin/iptables-t nat-a postrouting-p tcp -- dport 25-d [Internet address]-s [email server IP address]-o eth0-j SNAT -- to [Assign real IP address on the Internet to the SMTP server]
/Sbin/iptables-a forward-p tcp-s [email server IP address]-d [Internet address]-I eth1 -- dport 25-j ACCEPT
/Sbin/iptables-a forward-p tcp-d [email server IP address]-s [Internet address]-I eth0 -- sport 25! -- Syn-j ACCEPT

The preceding command allows the email server in DMZ to connect to the SMTP service port (25) on the Internet, and then disallow other data packets sent from DMZ to the Internet.

The basic rules for implementing the above basic policies are illustrated. In actual application, you need to set it according to the actual situation. As long as it is properly configured, Linux can also become a good firewall. It must be added that no matter what type of firewall, only limited protection can be provided. Setting a firewall does not mean that the network is secure. The key lies in the comprehensive use of various security measures.