Article Title: how to use ipchains to build a firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Tip: firewall is an important means to provide network security. RedHat6.1 provides ipchains, a tool package used to implement the filter firewall. Two firewall policies are generally implemented: in the first method, allow all packets first, and then prohibit dangerous packets from passing through the firewall; in the second method, the opposite is true, deny all packages first, and then allow specific packages to pass through the firewall according to the required services. In comparison, the second method ensures network security. However, for the second method, the user is required to know the basic principle of Server/Client interaction and the specific port corresponding to a specific service. This article will discuss how to build an enterprise's firewall system in the second way from a specific list.
I. Server/Client interaction principles
First, let's take a look at the interaction principle between the server and client. Services provided by a server with a specific function are always provided by a specific background process. In TCP/IP networks, this specific service is often bound to a specific TCP or UDP port. Then, the background program continuously listens to the port (listen). Once a client request that meets the conditions is received, the service performs a TCP handshake and establishes a connection with the client, respond to customer requests. At the same time, a copy of the binding will be generated to continue listening to client requests.
For example, assume that there is A server a in the network (the IP address is. b. c.1) provides the WWW service, and client B (. b. c.4), C (. b. c.7 ). First, server A runs the background program (such as Apache) that provides the WWW service and binds the service to port 80, that is, listens on port 80. When B initiates a connection request, B opens a connection port greater than 1024 (defined Port within 1024), which is assumed to be 1037. After receiving the request, A establishes A connection with Port 80 to respond to the request of port B. At the same time, A copy bound to port 80 is generated, and the client requests are continuously monitored. If A Receives A connection request from C (set the connection request port to 1071 ), then, when A establishes A connection with C, it generates A copy bound to port 80 to continue listening to the client request. As shown below, each connection is unique.
Server client
Connection 1: a. B. c.1: 80 <=> a. B. c.4: 1037
Connection 2: a. B. c.1: 80 <=> a. B. c.7: 1071
II. service port
Each specific service has its own specific port. generally, ports smaller than 1024 are reserved ports, or defined ports, low ports are allocated to well-known services (such as WWW and FTP). ports from 512 to 1024 are usually reserved for special UNIX TCP/IP applications, for details, see The/etc/services file or RFC1700.
III. network environment
Assume that the network environment is as follows: a ddnleased line is used to connect to the internet. The network topology is as follows:
+ -------------- +
| Intranet segment | eth1 + -------- + eth0 DDN
| + ------------ | Firewall | <==================> Internet
| 198.168.80.0 | + -------- +
+ -------------- +
Eth0: 198.199.37.254
Eth1: 198.168.80.254
The above IP addresses are all real IP addresses on the Internet, so IP spoofing is not used. In addition, we assume that the following servers exist in the intranet:
Dns server: dns.yourdomain.com is concurrently used by firewall
Www Server: www.yourdomain.com 198.168.80.11
Ftp server: ftp.yourdomain.com 198.168.80.12
Bbs server: bbs.yourdomain.com 198.168.80.13
Email Server: mail.yourdomain.com 198.168.80.14
Next we will use ipchains to build our packet filtering firewall step by step.
IV. implementation steps
Note: For detailed command usage of ipchains, see HOWTO documentation. In this example, we will set filtering rules in the input chain of eth0 and eth1.
1. in/etc/rc. run the touch command in the d/directory to create the firewall file, run the chmod u + x firewll command to change the file attributes, and edit/etc/rc. d/rc. add/etc/rc at the end of the local file. d/firewall to ensure that the script is automatically executed at startup.
2. refresh all ipchains
#! /Bin/sh
Echo "Starting ipchains rules ..."
# Refresh all chains
/Sbin/ipchains-F
3. set WWW packet filtering
Note: the WWW port is 80 and the tcp or udp protocol is used.
The rule is: eth1 => allow all WWW packets from the Intranet; eth0 => only allow packets for the purpose of the Intranet WWW server.
# Define HTTP packets
# Allow www request packets from Internet clients to www servers
The rule is: eth1 => allow all telnet packets from the Intranet; eth0 => only allow packets destined for the bbs server; to improve network security, deny all telnet requests to the firewall.
# Define telnet packets
# Allow telnet request packets from Internet clients to Intranet bbs server
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
