How to build a firewall with an old-fashioned Pentium host and Linux (1)

Old-fashioned Pentium machines are not just spam, they can still be used for computing! In fact, a small machine with 32 MB memory and 200-400 MB hard drive can be competent for the task of small office network firewall. Linux's compact version only contains important system applications without graphical user interfaces and user applications. After the compact version of Linux is installed, you can easily turn the old machine into a firewall.

To do this, you only need to callIpchainsOpen source software package, which is provided by Paul "Rusty" Russell. The software features many commercial Firewall Products: Allow custom flow of network traffic and access to visitors.

Early ipfwadm (IP Firewall Administration) can run on 2.0.X and earlier Linux versions. Later, ipchains replaced ipfwadm and can work in all Linux versions 2.1.x and 2.2.x. As the kernel is upgraded, it will also be upgraded to netfilter or another later version under 2.3.x. The reason for such frequent updates is that the firewall's data packet filtering is based on the kernel itself, so firewall software must also follow the kernel changes. This article discusses what ipchains are, what they can do, and how they can be used in different scenarios.

Ipchains and Firewall
Ipchains are essentially package filters. It checks the IP packets that arrive at the network interface, modifies the packets according to the predefined rules, and forwards the packets to other interfaces.

Each IP packet contains a header (Header), Which contains the package's destination, and how to handle the control information, see ). The data to be transferred is stored in a valid segment or package. Generally, a valid segment can contain a higher package. For example, a TCP packet is always included in the valid segment of the IP packet, and the TCP packet has its own header and valid segment. We will see that the ipchains software can change some domain values in the IP header, TCP Header, UDP header (not displayed), and ICMP header.

The name of ipchains comes from its features. It can create reasonable filtering steps and process packages according to user-defined rules. These steps are linked together to create a complete rule system for packet processing. This processing "chain" can be combined with a specific IP address or network address. As shown in the following figure, there are many such "chains" in the system to process each incoming IP package:

Machines running ipchains can have many network interfaces, each of which is connected to different networks. Any available firewall should have at least two independent interfaces, one connected to the internal network and the other connected to the external network. Data Packets enter from one interface and are transmitted to another interface through the filter chain.

In the simplest case, ipchains only executes three policies: accept, and reject. It can accept all packets from the specified IP address or network, and the rejection policy discards all packets from a specific place. The deny policy discards the packet from the specified source and notifies the source that the requested connection is rejected.

There are three basic links:Input chain,Forward chainAndOutput chain. The input and output chains process the execution policies of packages corresponding to the inbound and outbound interfaces respectively. The forward chain directly transmits the traffic to another machine after it executes the input chain ). The "other" machine here is a router in most cases. Ipchains itself does not want to become a complete routing engine, so it transfers the packet to the real software router on the local machine or the hardware router on another node. The complete ipchains engine processing flowchart is as follows:

FirewallIt is the general name of the device that can manipulate the input data stream and select the outgoing data stream. During execution, it may change the status of the input or input data stream to hide the specific information of the machine or prevent illegal intrusion.

Ipchains can run in two ways: proxy server and network address converter. The former receives data streams from machines in the firewall-protected network, filters data streams using user-defined rules, and sends them to the external network. In short, the proxy server controls which machines can access the external network, and vice versa.

If you do not have enough network addresses or do not want to use public IP addresses for your internal network, you can use the network address converter (NAT) or IP address shielding (Masqing) method. It can convert an internal private address to a valid public address, which maps multiple internal addresses to a unique external address. In this way, you cannot directly access a machine in the internal network from the external network, so as to protect the internal machine.

Install firewall
It is not that easy to configure a linux machine as a firewall. You should reinstall the stable Linux version, that is, it is not the latest and most powerful version. You can try 2.2.12) instead of changing the existing Linux machine. During installation, it is best to install only the most basic system components. Generally, do not install network servers, NFS servers, compile programs, and other components, or even run Telnet servers. If you must log on to the local machine through the network, install "SSH Secure Shell" (ssh) to remotely log on to the system. In short, remember that the firewall should never execute tasks other than processing packets and network security.

The ipchains software may be included in your Linux system. If you are paranoid, you can use this version only after confirming that the main Linux provider has certified it.

The first thing to do is to check whether the firewall has been installed on your machine. Check whether there is a "Start/Close" script similar to packetfilter, ipchains, pifwadm, firewall, or proxy in the/etc/rc. d/init. d directory. If such a file exists, and there is a file from/etc/rc. d/rc2.d or/etc/rc. d/rc3.d symbol connection, so the machine may have installed a firewall, maybe it is still running in the environment without any specific firewall policy. To verify this, run the following command:

# cat /proc/sys/net/ipv4/ip_forward

If the file cannot be found, the firewall has not been installed. If the returned value is 0, the firewall is installed but not running. If the returned value is 1, the firewall is running.

You can also download the source code of ipchains to compile it yourself. In this case, run the checksum program to confirm that the source code is reliable. Generallymd5sum <filename>Command ). The valid values of the checksum are listed on the ipchains website. The verification results should match exactly with them. The current ipchains version is 1.3.9.