Configuring Linux firewalls with FWTK

FWTK is a set of tools used to build and maintain internal network firewalls. It contains a number of standalone components, most of which are proxy applications such as Telnet, FTP, Rlogin, SendMail, HTTP, X windows, and so on. Compared with squid, socks and other similar software, its outstanding advantage is not only can be from local and target host name, IP address to specify access rules, and can be based on access to allow or deny an execution command, fully embodies the application layer gateway advantages. This article takes telnet as an example to describe how to use FWTK to configure a proxy server firewall on Linux.

System environment and design objectives

System configuration Environment: Red Hat Linux 6.1, FWTK v2.1, dual NIC (one for the external network, one for the internal network), set 192.9.200.* for the external network, 10.1.1.* for the internal subnet.

Design objectives:

Internal network users can telnet to any external host;

External network users must be authenticated after the license can be telnet to the internal mainframe;

Allow only 10.1.1.5 telnet to the firewall host (for remote administration);

When all users pass the firewall agent, only normal user rights are allowed;

The limit timeout is set to 300 seconds;

You can edit the prompts on your firewall yourself.

Install FWTK

1. Create a new directory/HOME/FWTK, copy Fwtk.tar.z to the directory, and unpack: Tar xzvf fwtk.tar.z.

2. Prepare to compile:

Replace Makefile.config with Makefile.config.linux;

Remove the # number before the Auxlib=-lcrypt line in the Makefile.config;

Add-I/USR/INCLUE/DB1 after the cflags=-i...$ (COPT) line in Auth/makefile.

3. Compile: Make.

4. Install: Make install, all executables are installed by default in the/usr/local/etc directory.

Make a configuration file

1. Configure/etc/services. Add the port number to the Telnet agent (TN-GW):

TN-GW 3333/tcp

2. Configure/etc/inetd.conf. Move the usual Telnet port to the 3333,telnet agent on Port 23rd, which protects the normal telent service with a high-end port, and Netacl is the TCP wrapper provided by FWTK, with similar functionality and TCPD:

Telnet stream TCP nowait ROOT/USR/LOCAL/ETC/TN-GW TN-GW

TN-GW Stream TCP nowait root/usr/local/etc/netacl in.telnetd

Execute the command killall-hup inetd to make the changes take effect.

3. Configure/usr/local/etc/netperm-table (where the contents of the. txt file are written by yourself, but be sure to be consistent with your directory's path):

Control logon firewall host (normal telnet) section:

#允许本地登录

Netacl-in.telnetd:permit-hosts 127.0.0.1-exec/usr/sbin/in.telnetd