Free Linux Firewall trial note

As a network administrator, to protect your network, you can spend tens of thousands of yuan to control inbound and outbound information. You can also achieve the same purpose without spending any money. Does it sound impossible? Let's have a try! How can I know if I don't try? The advantage of a 24-hour online broadband Internet connection is obvious, which is fast, cheap, and convenient. However, the potential danger is not easily noticed. In fact, without proper protection, such uninterrupted connections will keep your company's servers and data at risk. A router with a firewall can effectively eliminate these risks. You can spend a lot of money to buy a vro, or save the money to fully use the built-in routing and firewall functions of Linux. In many cases, you can even use your Linux server as a router at the same time. However, if your website has a large traffic, you 'd better use a PC to complete this task independently.

Enable information to be imported and Output

Sometimes, you may want a vro to restrict a specific PC on the Intranet to prevent access from the Internet. However, more often, you may want a Linux vrolinux to block access from unexpected customers. Generally, a HUB is used to connect a DSL or cable to the Internet. In this case, as long as you can connect to the HUB, you can use some easy-to-get software to listen to the data on your site, you can even directly access your network resources.

To this end, we can disable services that are easily listened to by testers such as Telnet and FTP. This clearly ensures that the network is free from the threat of intrusion, but generally, companies can use these services. That is to say, the company's business generally requires the router to have security, and to allow information to flow smoothly into and out. Therefore, you should selectively restrict access to these services, rather than completely disable them. Once you have created a suitable configuration script, the Linux router/firewall will do this for you.

Services, ports, and Protocols

Generally, e-mail, Web, and other Linux servers must be accessible from external networks. For this type of communication, standard ports in some industries are often used to help define these services. For example, the Web server generally uses port 80, and SMTP (for email service) generally uses port 25. The services running on the server and the ports used can be found in the/etc/services file.

(This is the content of the services file on one of my Linux machines)

In addition, You Need To Know What protocol the router should use. There are many Ethernet protocols, but the most common ones are TCP and UDP. (The protocols used by the sub-host can be found in/etc/protocols ).

Command Used

For Linux routers, we only use IP address forwarding and firewall in the kernel. Therefore, you do not need additional software. You only need some command scripts to set rules for the router to respond to received packets. This includes a series of input, output, and forwarding rules.

　　

Inbound data packets must be adjusted according to the input rules. For example, if a Web server is running, you may want to use port 80 to receive inbound data packets. The output rules define whether the router allows data to be sent to the Internet, which is often used to reject connections to certain sites (through IP addresses ). Forwarding rules are used to control the data packet forwarding from one place to another. by defining a specific subnet in the network and setting rules, only some subnets can be forwarded, to restrict Internet access.

Setting Process

In my Red Hat7 Linux router, to manage firewall behavior, I use ipchains to set rules (using ipfwadm in Red Hat 6 or earlier versions ). For some other Linux releases, although the names may be different, the functions are the same (for example, ipfw should be used in FreeBSD ). In different release versions, the syntax of firewall commands varies slightly (for these differences, you can use the man command to view them). However, if you are familiar with the configuration in one of the versions, configurations in other versions are similar. The best way to manage firewall configurations is to use scripts that will be called during system startup.

For the script in my example, I will describe it as follows:

1. My vro has two NICs, eth0 and eth1.

2. eth0 connects to the LAN through the HUB and is in the network of 192.168.1.0/24 (24 refers to the subnet ).

3. eth1 is connected to a cable or DSL modem, And the IP address used is 207.1.1.1 provided by the ISP.

By default, the Linux router receives and sends all the information, which is equivalent to the following command series:

Ipchains-F

Ipchains-P input ACCEPT

Ipchains-P output ACCEPT

Ipchains-P forward ACCEPT

In this example:

* The-F option resets all rules, removes all rules, and then restarts the configuration.

* The-P option tells the firewall to use the default rule until a new rule changes. In fact, if you only use the default rules, the vro will be vulnerable to attacks.

From off to on

We can open all services first, and then close things that don't want others to access. This looks good. However, in practice, we usually reverse this process. That is to say, we first disable all communication with the router, and then open some specific services and ports. Therefore, we can use the following command process:

Ipchains-F

Ipchains-P input DENY

Ipchains-P output REJECT

Ipchains-P forward DENY

These commands are described as follows:

*-P input DENY does not respond to the received packets.

*-P output REJECT does not receive any data packets, but returns a message that cannot be reached by ICMP.

　　

Next, we will add rules to allow information flow in the Intranet:

Ipchains-A input-I lo-j ACCEPT

Ipchains-A output-I lo-j ACCEPT

Ipchains-A input-I eth0-s 192.168.1.0/24-j ACCEPT

Ipchains-A output-I eth0-d 192.168.1.0/24-j ACCEPT

The first two lines tell the router to receive all inbound information and allow all outbound information. Row 3 and row 4 Create inbound and outbound rules for the Intranet Nic eth0.

Here:

*-I option specifies the interface for applying the rule (lo is used in the first line and eth0 is used in the last two lines ).

*-A tells the vro to add A rule.

*-J indicates how the router processes data packets.

*-S indicates the source address (for input ).

*-D indicates the destination address (for output ).

The third line creates an input rule on the Intranet (eth0) to allow the router to receive packets from all the source addresses 192.168.1.0/24. The fourth line indicates that all data packets destined for the preceding address can pass through.

Forwarding

Next, we will add rules to control outbound data forwarding:

Ipchains-A forward-I eth1-s 192.168.1.0/24-j MASQ

Ipchains-A forward-I eth0-s 192.168.1.0/24-j ACCEPT

Ipchains-A forward-I eth0-d 192.168.1.0/24-j ACCEPT

These three forwarding rules are very simple. The first line tells the router to allow all data with the Source Address 192.168.1.0 to be sent to the Internet. The-j MASQ option tells the vro to use IP spoofing, so that multiple Intranet hosts can use the same IP address to access the Internet. The rules created in the next two lines allow the router to forward all data packets originating in or sent to the Intranet 192.168.1.0.

At this point, the most basic things have been configured. However, sometimes, we may need to restrict access to the Internet by some users on the Intranet. To achieve this, we can allow users to use different subnets. In this way, their IP addresses and rules do not match, so all data packets originating from these hosts cannot be forwarded to the Internet. Similarly, we can allow these users to use other services (such as the e-mail service ).

Enable Information Access

Till now, our router will not work normally, because we have used the DENY and REJECT options to lock the router and it will not let any information pass through. Now we need to add some script commands to open various Internet services. For example, to allow users to access our Web site, we can add the following command:

Ipchains-A output-I eth1-p tcp-s 207.1.1.1 1024: 65535-destination-port 80-j ACCEPT

Ipchains-A input-I eth1-p tcp! -Y -- source-port 80-d 207.1.1.1 1024: 65535-j ACCEPT

　　

These two lines allow the router to send a data packet to the remote server, request a connection (the first line), and receive an inbound data packet (the second line ). Because our information outflow interface uses IP address disguise, all the IP addresses used for external connections seem to be 207.1.1.1 (this address is just an example ). Similarly, if we want users to access the external POP3 email service, we only need to change the port 80 of the two commands to 110 (POP3 port. No matter what service you want to add, you only need to add the corresponding line.

Allow access

If you do not want the external world to access our router service, we have achieved our goal, because our missing rules have been set to reject all incoming information requests. However, sometimes we need to run Web Services on the server so that external users can access them. In this case, we can add the following command:

Ipchains-A input-I eth1-p tcp -- source-port 1024: 65535-d 207.1.1.1 80-j ACCEPT

Ipchains-A output-I eth1-p tcp! -Y-s 207.1.1.1 80 -- destination-port 1024: 65535-j ACCEPT

The first line tells the router to receive (-j ACCEPT) All data packets from the external network and the destination address is our router. The next line allows the router to send data packets. To configure other services, it is very similar to the preceding command. For example, if we want to run the SMTP or POP3 server internally, we only need to change the port 80 of the above command to 25 and 110 respectively.

Check and activate the service

At any time, you can enter the "ipchains-L" command to check your rule script.

By changing some system files, you can make these scripts automatically activated at every vro startup. There are many ways to do this. For example, if your ISP gives you a dynamic IP address and your system uses "/sbin/pump" at startup