Overview
In many network firewall products, the Linux operating system firewall software features significant. Like Linux, they have powerful features, mostly open software, not only for free use but also for source code disclosure. These advantages are not comparable to other firewall products. Choosing this type of software is a reliable, efficient solution to the minimum hardware requirements. But the user is most concerned about the performance of the security system, according to the network security investigation and analysis has come to the conclusion: the network of security vulnerabilities and hidden dangers caused by improper network settings. There are also problems with these excellent software on the Linux platform. For the system to run safely and efficiently, the installer and the manager must be able to understand the operating mechanism of the SOFTWARE product and analyze in depth whether the adopted firewall settings strategy will be exploited. This article only discusses the IP packet filtering firewall software ipchains on Linux platform.
Basic model of Firewall
Internet interconnection based on TCP/IP protocol cluster relies entirely on the protocol stack above the network layer (IP protocol of Network layer, Transmission Control Protocol TCP/UDP and Application layer protocol). Considering that the network firewall is a security mechanism set up to maintain network connectivity, firewall technology is the technology to realize the security strategy of the protected network by analyzing and controlling the network with the characteristics of upper layer protocol. There are three basic models for building firewalls: Application proxy gateways, circuit-level gateways (Circuit levels Gateway), and network-layer firewalls. The technologies involved include application Agent technology and packet filtration technology.
The application proxy gateway allows users on the internal network to access the Internet directly through the firewall. It replaces the user with the destination according to the user's request. Because the application proxy gateway is acting on the application layer, it can control the application protocol and can also record at the application level. It is stricter than the security of a network-level firewall because it provides more detailed audit reports, tracking user and application processes, and parameters for IP packets. However, the application layer firewall has great influence on the network performance. Because requests to any user require the application agent process to provide application services for them, they are slower and less transparent and maintainable than network layer firewalls. The software that implements this firewall model on Linux has squid and so on.
A circuit-level gateway is similar to an application proxy gateway, but the agent is usually independent of the application. This loses the ability to record and precisely define rules. A circuit-level gateway is a device running a gateway application that only supports TCP/IP applications and uses TCP ports to communicate between network resources and user applications. It also requires the client to use special software to service the communication applied to the application. Socks is the software that implements this kind of firewall model on Linux.
The IP packet filtering firewall at the network layer works on the IP packet level. It controls the flow of packets based on information such as the source address, destination address, and package type in each package. A more thorough filtering process is to check for information such as source, destination port number, and connection status in the package. This firewall is relatively secure, but lacks sufficient logging information. It can prevent the external network from accessing the protected internal network, but it cannot record who has access to the exposed system and who accesses the Internet from the internal network. IP packet filtering is supported in the Linux kernel, so there is no need to add additional software to build a packet filtering firewall, the IPChains package is a powerful package filtering policy management software on the Linux platform for setting up a reliable firewall system.
IPChains and IP Camouflage principle
On Linux systems, there are three rule lists in the core of support packet filtering, which are called firewall chains. Three chains are called input chains, output chains, and forwarding chains, respectively. When a package is entered from the Internet into a Linux host configured with a firewall, the kernel uses the input chain to determine the package's trade-offs. If the package is not discarded, the kernel then invokes the forwarding chain to decide whether to send the packet to an exit, before the last package is sent out, and the kernel is determined by the output chain.
Figure 1 IPChains Flowchart
A chain is a list of a series of rules. Each rule stipulates that if the packet header matches the rule, the package is processed accordingly. If the rule does not match the package, the next rule in the chain is introduced. Finally, if there are no rules to introduce, the kernel determines what to do based on the built-in policies. In a security-conscious system, the rule usually tells the kernel to reject or discard the package.
By appropriately configuring the IP filtering rule, the three-chain filtering policy, the firewall can control which packets are entered from a trusted IP network segment, or it can be configured to open only the specified TCP/UDP port number. These policies can be assigned to a fixed interface device such as an Ethernet card, PPP connection, etc. to the firewall host, respectively. In addition to these three chains, we can also configure a user-defined chain of rules. In the three chain of execution can jump to the custom chain execution at any time, completed and then back to the main chain, which makes filtering rules can be quite flexible.
There are some special jump target values in the firewall chain as shown in the following table:
IP Camouflage in the firewall chain is a more secure solution than packet filtering policy, which solves the problem of insufficient IP address resources in the Internet. IP camouflage refers to the mechanism by which a computer can disguise its IP address as a different address when it accesses the Internet. If a Linux host connected to the Internet has IP camouflage capabilities, it is connected to the Internet, whether on the same LAN or PPP, although they do not have a formal IP address. This means that a series of hosts can be hidden behind a gateway system to visit the Internet, and their access is invisible to the outside world.
Because the host you want to disguise does not have a formal IP address, you can use the private network address reserved by the IANA (Internet assigned Numbers authority), which is:
10.0.0.0~ 10.255.255.255???? 1 Class A addresses
172.16.0.0~172.31.255.255??? 16 consecutive B-class addresses
192.168.0.0~192.168.255.255?? 255 consecutive C-class addresses
After the IP camouflage is configured in the forwarding chain of the firewall, when the host on the internal network sends the IP packet to the Internet, the kernel replaces the source IP address in the packet with the IP address of the gateway, records the IP address being camouflaged, and forwards the packet. When the packet's answering IP packet enters the gateway from the Internet, the kernel carries out IP camouflage operations and replaces the destination address with an internal address. IP camouflage rules can be configured only in the forwarding chain, with appropriate configuration parameters for IP camouflage of a network segment, a host, an interface device, some protocol, or some port of a protocol. IP camouflage to the external shielding the details of the internal network, the outside even do not know the existence of the internal network, so security is better.