Customized linux transparent Firewall

Author: pharmacist

Generally, the two network interfaces of the firewall should belong to two different networks. According to the access rules defined by the system administrator, the two interfaces should forward data packets or reject or discard data packets. In fact, the firewall is not only an access control function, but also acts as a router. Of course, this is not anything inappropriate, but when you try to put the configured linux firewall into the running network to protect the security of the existing system, you have to rethink and change your network architecture. Another possible problem is that, in the event of a firewall accident, if there is no firewall hardware backup, you will be facing a huge psychological pressure, because of the firewall failure, the entire network is paralyzed. If you set the firewall to a transparent mode (which can be called a pseudo-Bridge), you do not need to change the network architecture. Even if the firewall cannot work, you only need to remove the network cable, directly inserting the network cable into the internal interface of the router can make the network work normally, and then you have time to slowly recover the faulty firewall.

 

Now that transparent firewall is so convenient, let's configure it as soon as possible! Prepare a PC, two NICs (3com Nic recommended), several network cables, and one redhat linux 9 installation disk. Open the chassis, insert the two NICs into the computer's pci slots, and connect the computer to the gateway and switch respectively with the network cable (as shown in the previous figure "normal"); cover the computer, power in and boot. Install the Linux 9 installation CD in the optical drive and boot the computer to install the Linux system. Choose custom installation, do not be conservative, spend more time to experience the installation fun of the interface, cancel the firewall (no firewall), and choose to log on to the system in text mode when the installation is completed.

Transparent firewall function Configuration:
1. Set the network address. Modify the file/etc/sysconfig/network-scripts/ifcfg-eth0 and/etc/sysconfig/network-scripts/ifcfg-eth1 so that it has the same IP address, the same subnet mask.
Use vi to edit the following file, save the file, and run the Command service network restart to make the modification take effect.
DEVICE = eth0
BOOTPROTO = none
BROADCAST = 192.168.1.255
IPADDR = 192.168.1.254
NETMASK = 255.255.255.0
NETWORK = 192.168.1.0
ONBOOT = yes
USERCTL = no
PEERDNS = no
TYPE = Ethernet DEVICE = eth1
BOOTPROTO = none
BROADCAST = 192.168.1.255
IPADDR = 192.168.1.254
NETMASK = 255.255.255.0
NETWORK = 192.168.1.0
ONBOOT = yes
USERCTL = no
PEERDNS = no
TYPE = Ethernet
Note the following two points: the first is to distinguish between eth0 and eth1. this problem is critical. If it is mixed up, the firewall cannot connect to the network. As for how to distinguish eth0 from eth1, I will briefly describe it at the end of the article. Assume that the ENI connected to the vro is eth0.
2. Set the default route. In the file/etc/sysconfig/network-scripts/ifcfg-eth0 add a line gateway = 192.168.1.1 save and run the Command service network restart, the modification takes effect. Find a public IP address that opens the ICMP protocol, and run the command ping 202.108.36.196 (host www.163.com) to check the connectivity with the Internet. If the connection is normal, the Linux firewall host and the Internet are correctly configured. Run ping 192.168.1.18 to check the connectivity between the firewall host and the Intranet host. If the connection is normal, perform the next step.
3. Enable network forwarding and proxy_arp. This is the core part of the transparent firewall. I will write them into the file/etc/rc. d/rc. local. Use vi/etc/rc. d/rc. local to insert the following content. In this step, I once

# Ip forward
/Sbin/sysctl-w net. ipv4.conf. all. forwarding = 1

# Enable proxy-arp
/Sbin/sysctl-w net. ipv4.conf. eth0.proxy _ arp = 1
/Sbin/sysctl-w net. ipv4.conf. eth1.proxy _ arp = 1

It took a lot of time, because the parameter "-w" was not included in the reference book, and then run sysctl net separately. ipv4.conf. only after eth0.proxy _ arp = 1 can we find that red hat Linux 9 cannot run without the "-w" parameter.
4. Specify the route. Because the two NICs (eth0, eth1) use the same ip address, if the forwarding path is not specified, the routing will be chaotic, so that computers within the firewall cannot access the Internet. Use the command vi to modify the file/etc/rc. d/rc. local and insert the following lines. Save the file and restart the computer/
# Define route
/Sbin/ip route del 192.168.1.0/24 dev eth0
/Sbin/ip route add 192.168.1.1 dev eth0
/Sbin/ip route add 192.168.1.0/24 dev eth1
Linux firewall can access the Internet from the host 192.168.1.18 without any exceptions. Of course, any machine on the Intranet can access the Internet. Here, Define route is described as follows: /sbin/ip route del 192.168.1.0/24 dev eth0 indicates that all data packets destined for 192.168.1.0/24 in the subnet are not forwarded from eth0 but from eth1, that is, the command/sbin/ip route add 192.168.1.0/24 dev eth1;/sbin/ip route add 192.168.1.1 dev eth0 indicates that all packets destined for 192.168.1.1 are forwarded by eth0, in fact, this can be understood as the Division of data forwarding between two NICs-eth0 is responsible for the packets to 192.168.1.1, and eth1 is responsible for the remaining packets. Congratulations! More than half of the firewall has been successfully configured. If the selected firewall rule is of medium level during Linux installation, the firewall has been configured successfully. I believe everyone is the same as me, and I am willing to stop.

Customize firewall policies
All are 2.4.20 kernel versions. Of course, netfilter/iptables is used. Because the "no firewall" option is selected during Linux installation, no iptables file exists in/etc/sysconfig. Let's customize firewall access policies as we like.

Create the script file myfirewall. sh in the/etc/rc. d directory, run the command touch/etc/rc. d/myfirewall. sh, and run chmod 711 myfirewall for the file. Then, use vi to edit the file. I wrote this
Vi/etc/rc. d/myfirewall. sh
#! /Bin/bash
# Define string
IPT =/sbin/iptables

# Refresh rules
$ Ipt-f FORWARD
$ Ipt-f INPUT
$ Ipt-f OUTPUT

# Default policy
$ Ipp-input DROP
$ Ipt-p FORWARD DROP
$ Ipt-p OUTPUT ACCEPT

# Enable loopback
$ Ipt-a INPUT-I lo-p all-j ACCEPT

# Enable icmp
$ Ipt-a INPUT-p icmp-j ACCEPT

# Interface forward
$ Ipt-a FORWARD-s 192.168.1.0/24-j ACCEPT
$ Ipt-a FORWARD-d 192.168.1.0/24-j ACCEPT

# Enable ssh
$ Ipt-a INPUT-p tcp -- dport 22-j ACCEPT

# Add other access rule // you can Add or remove rules based on actual conditions.
$ Ipt-a INPUT-p tcp -- dport 20-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 21-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 80-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 53-j ACCEPT
$ Ip-a INPUT-p udp -- dport 53-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 23-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 110-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 25-j ACCEPT
$ Ipt-a INPUT-p tcp -- dport 443-j ACCEPT

The rules only allow a small number of access policies (ping, send and receive emails, browse Web pages, ssh, https, telnet, ftp, and other accesses are all discarded ). $ Ipt-a output accept is not set to DROP because most network services use the tcp protocol. As we all know, the tcp protocol is connection-oriented, if you set $ ipt-a output drop, two tcp connections are required. Besides, the firewall always allows external access, so this is to simplify the rules.

Save the modification and run the command in the current directory. /myfirewall. sh: the rule takes effect when the preceding script is not written incorrectly, but it is only in the memory. Use the Command service iptables save to automatically generate the file/etc/sysconfig/iptables, the preceding access policy is saved to the hard disk. When the system restarts, the system automatically obtains the custom access policy from the file/etc/sysconfig/iptables.

Here, a transparent linux firewall has been set up. Change the computer's BIOS settings so that it can start the system without a keyboard. Enable ftp so that you can copy files to the firewall host as needed. Remove the keyboard and display, and click the power switch.

Firewall Management
Sometimes we may need to change some firewall rules, or do some other management. Now that we are a system administrator, we may have to plug in the keyboard and connect the monitor to sit in front of the firewall, therefore, these management work is certainly carried out through the network. Ssh and webmin are my preferences. The protocol port of ssh is 22, and the default protocol port of webmin is 10000. Ssh is the default service for linux systems. You only need to install the client (securecrt in windows is a good choice. It is said that ssh connection speed is not as fast as vnc) all firewall management (the same as directly operating the firewall host); webmin is a web-based graphical interface management method, which is very convenient and intuitive, although it cannot fully manage the system like ssh, it can meet our work requirements. We recommend that you install the webmin server program in the firewall system. The combination of Ssh and webmin can help us quickly and deeply master Linux.

It is relatively simple to install the Ssh client, but webmin does not need to install the client. Here we introduce webmin Server Installation: Put the webmin-1.110. tar.gz download to another windows hard disk, and then copy it to the ftp directory of the firewall host using ftp (if you are a linux master, you do not need to do so, you only need to log on to the firewall using ssh, use the get/wgetcommand to obtain the file and open the file webmin-1.110.tar.gz tar-zxvf webmin-1.110.gz.tzr cd webmin-1.110 to install webmin. /setup. sh, press enter to create a webmin management account. After installation is complete, enter the firewall ip address and port number 10000 in the address bar of any running browser to manage the firewall (http: // 192.168.1.254: 10000 ). The firewall that manages linux networks in this way is intuitive and the options are very detailed. Even those who do not understand the iptable syntax can easily configure firewall access rules. Here is a tip. If you change an access rule, the network cannot be accessed externally. Don't panic. Just restart the system before the firewall. In case of any rule change and the rule has been written to the hard disk, delete the file/etc/sysconfig/iptables and run the script sh/etc/rc. d/myfirewall re-rewrite the file/etc/sysconfig/iptables service iptables sa