Configuring Linux firewalls with FWTK

FWTK is a set of tools used to build and maintain internal network firewalls. It contains a number of standalone components, most of which are proxy applications such as Telnet, FTP, Rlogin, SendMail, HTTP, X windows, and so on. Compared with squid, socks and other similar software, its outstanding advantage is not only can be from local and target host name, IP address to specify access rules, and can be based on access to allow or deny an execution command, fully embodies the application layer gateway advantages. This article takes telnet as an example to describe how to use FWTK to configure a proxy server firewall on Linux.

System environment and design objectives

System configuration Environment: Red Hat Linux 6.1, FWTK v2.1, dual NIC (one for the external network, one for the internal network), set 192.9.200.* for the external network, 10.1.1.* for the internal subnet.

Design objectives:

Internal network users can telnet to any external host;

External network users must be authenticated after the license can be telnet to the internal mainframe;

Allow only 10.1.1.5 telnet to the firewall host (for remote administration);

When all users pass the firewall agent, only normal user rights are allowed;

The limit timeout is set to 300 seconds;

You can edit the prompts on your firewall yourself.

Install FWTK

1. Create a new directory/HOME/FWTK, copy Fwtk.tar.z to the directory, and unpack: Tar xzvf fwtk.tar.z.

2. Prepare to compile:

Replace Makefile.config with Makefile.config.linux;

Remove the # number before the Auxlib=-lcrypt line in the Makefile.config;

Add-I/USR/INCLUE/DB1 after the cflags=-i...$ (COPT) line in Auth/makefile.

3. Compile: Make.

4. Install: Make install, all executables are installed by default in the/usr/local/etc directory.

Make a configuration file

1. Configure/etc/services. Add the port number to the Telnet agent (TN-GW):

TN-GW 3333/tcp

2. Configure/etc/inetd.conf. Move the usual Telnet port to the 3333,telnet agent on Port 23rd, which protects the normal telent service with a high-end port, and Netacl is the TCP wrapper provided by FWTK, with similar functionality and TCPD:

Telnet stream TCP nowait ROOT/USR/LOCAL/ETC/TN-GW TN-GW

TN-GW Stream TCP nowait root/usr/local/etc/netacl in.telnetd

Execute the command killall-hup inetd to make the changes take effect.

3. Configure/usr/local/etc/netperm-table (where the contents of the. txt file are written by yourself, but be sure to be consistent with your directory's path):

Control logon firewall host (normal telnet) section:

#允许本地登录

Netacl-in.telnetd:permit-hosts 127.0.0.1-exec/usr/sbin/in.telnetd

#只允许10.1.1.5 Telnet to the firewall

Netacl-in.telnetd:permit-hosts 10.1.1.5-exec/usr/sbin/in.telnetd

#显示不允许登录时的拒绝信息

Netacl-in.telnetd:permit-hosts *-exec/bin/cat/home/guest/notelnet.txt

Netacl-in.telnetd:timeout #超时设置

Control through the firewall host (telnet proxy) section (preferably/etc/passwd guest's/bin/bash to/bin/false):

#认证服务器IP和端口号

Tn-gw:authserver 127.0.0.1 7777

Tn-gw:directory/home/guest #工作目录

Tn-gw:groupid Guest #工作组名

Tn-gw:userid Guest #工作用户名

# Welcome Info

Tn-gw:welcome-msg Tn-welcome.txt

# information denied to visitors

Tn-gw:denial-msg Tn-deny.txt

# Deny visitors information for restricted purposes

Tn-gw:denydest-msg Tn-denydest.txt

Tn-gw:help-msg Tn-help.txt # Help information

Tn-gw:timeout 300 # Set Time to timeout

Tn-gw:prompt Tn-gw-> # Prompt

# Allow 10.1.1.* Machine login

Tn-gw:permit-hosts 10.1.1.*-dest *-passok

# allows the 192.9.200.* machine to log in, but requires identity authentication

Tn-gw:permit-hosts 192.9.200.*-dest 10.1.1.*-auth

4. Configure Authentication Server

Configure/etc/services to add the port number to Authsrv:

Authsrv 7777/tcp

Configure/ETC/INETD.CONF to Inted process start Authsrv:

Authsrv Stream TCP nowait root/usr/local/etc/authsrv authsrv

Perform killall-hup inetd to make changes take effect.

5. Configure netperm-table:

#允许防火墙主机使用认证服务器

Authsrv:hosts 127.0.0.1

#数据库所在路径

Authsrv:database/usr/local/etc/fw-authdb

Authsrv:directory/home/guest #工作目录

Authsrv:groupid Guest #工作组名

Authsrv:userid Guest #工作用户名

Authsrv:badsleep 1200 #禁止尝试注册的时间

Authsrv:timeout #超时设置

Authsrv:nobogus true #允许注册失败响应

Based on the above steps, the FTP agent (FTP-GW), mail agent (SMAP), HTTP proxy (HTTP-GW), POP3 Proxy (PLUG-GW) can also be configured efficiently.