Hybrid Nat and firewall applications in Linux

[Introduction]
Linux has been popular around the world over the past few years thanks to its stability, security, and code openness. As a UNIX system, Linux is being applied in all aspects of the Internet, from scientific computing to cash machines, from web services to high-level Oracle database applications. You can see the shadows of Linux. Since Linux complies with the GPL protocol (public software license), anyone can obtain and modify its source code, so its security is much higher than other non-open source systems; and it can be downloaded from the network for free. From these two points, he is very suitable for Network Information locks (soft routing or gateway) and self-built firewalls (in fact, domestic hardware firewall vendors use industrial x86 hardware and Linux for their products, although it is not really a hardware firewall ). Nowadays, the School pays too much attention to learning software and development tools on Windows and its Windows platforms. But the students didn't realize that the UNIX system really supported the Internet. From my perspective on Linux, I would like to show you a corner of the UNIX system.
What is Nat?
Nat stands for network address translation, which is an IETF standard that allows an organization (including multiple network nodes) to appear on the Internet with one address. Nat converts the addresses of each LAN node into one IP address, and vice versa. It can also be applied to the firewall technology to hide individual IP addresses from external discovery, so that external networks cannot directly access internal network devices. At the same time, it also helps the network to surpass address restrictions, reasonably arrange the use of public and private IP addresses in the network.
Why Nat?
Assume that the campus network provides Internet access services for the campus network. To facilitate management, the IP addresses assigned to campus users by the campus network center are all pseudo IP addresses (internal IP addresses ), however, some users require the establishment of their own WWW server to publish external information. In this case, we can provide such services through NAT. We can bind multiple valid IP addresses or ports to the external network card of the firewall, and then forward packets sent to one of the IP addresses to the internal WWW server of a user through the NAT technology, then, the response packet of the internal WWW server is disguised as the package sent by the legal IP address.

Tutorial Environment
All the lab environments used in this article are as follows:
Linux host (server): Dual Nic RedHat 9.0 Host Name: Host
Windows 98 host (client): single Nic Host Name: Test
One Lenovo D-link 8 port 10 m/m Switch

[Body]
I. Installation and attention of Red Hat 9.0
Linux is an independent operating system, so it cannot be installed in other operating systems. It has its own startup method and can be installed using either of the following methods.
● Installation from CD-ROM
● Install from the FTP server
Since the Linux system is installed (the first method) and there is a random reference manual, it is not very difficult, so we will focus on the installation from ftp.
Create a boot disk before installation:
1. In the Windows operating system, place the installation disk into the optical drive;
2. Run E:/dosutils/rawrite.exe (the drive for the edisk)
3. Enter E: \ images \ bootnet. IMG in the running interface.
4. Specify the target disk and enter the user's floppy disk:
In this way, the boot disk of the installer is created.
　
Use a floppy disk to boot the computer. after entering the blue interface, enter the FTP server address and the FTP user name and password to install it.
The installation interface of Red Hat 9.0 is Chinese. The installation instructions can be customized. Note that/swap (SWAP partition) the size is twice the memory size. Since it is used as a NAT gateway, it is necessary to separate/var (log partition) separately and not less than 500 mb. There is ample space to store logs, it is well documented for future system faults or attacks.
Ii. Linux network settings and Nat principles
2.1 network settings
After the Linux system is installed, the entire platform is set up, but the network needs to be set up. Before the network is set, or before the Linux system is connected to the Internet, we should turn off services unrelated to this server.
You can press "setup" in the command line and press Enter. A text menu is displayed, which contains "system service". You can use the space key to cancel the check box before the service and restart the system.
If you are a skilled UNIX user, you can cancel the service without restarting it.
PS aux

All services running in the background are displayed.
Kill-9 <pid>
(-9 indicates force killing a process) to kill the process.
Then go to the/etc/sysconfig/network-scripts/directory.
VI ifcfg-eth0 displays the following content
Device = eth0
Onboot = Yes
Bootproto = none
Ipaddr = 192.168.0.1 # (intranet Nic IP address)
Netmask = 255.255.255.0
Type = Ethernet
Userctl = No
Peerdns = No
Network = 192.168.0.0 (network number)
Broadcast = 192.168.0.255 (broadcast number)
The above settings mean: eth0 Intranet Nic, IP Address: 192.168.0.1, subnet mask: 255.255.255.0;

VI ifcfg-eth1 displays the following content
Device = eth1
Onboot = Yes
Bootproto = none
Ipaddr = 202.204.208.5 # (Internet Nic IP address)
Netmask = 255.255.255.255.128
Type = Ethernet
Userctl = No
Peerdns = No
Network = 202.204.208.0 (network number)
Broadcast = 202.204.208.127 (broadcast number)
The preceding settings mean that eth1 is an external internet Nic and the IP address is 202.204.208.5.
The NIC settings are complete.

Add the IP address and name of the NAT Client
VI/etc/hosts
Format:
IP address Host Name
127.0.0.1 host

Intranet Gateway
VI/etc/sysconfig/Network
Gateway = 202.204.208.7)

Set DNS Server
VI/etc/resolv. conf
Format:
Nameserver IP Address
Nameserver 202.106.196.115
After all settings are complete, restart the system and run
Route-A # Check the route table to see if the default gateway is 202.204.208.7
If yes, all network configurations on the server have been completed.

The following figure shows the network configuration of the client.
Because it is a Windows 98 system, only configuration parameters are provided. The configuration method is omitted.
The IP address is 192.168.0.2.
Subnet Mask: 255.255.255.0
Domain Name Server: 202.106.196.115
Gateway: 192.168.0.1
All network settings complete

2.2 Nat principles
2.2.1 before entering the NAT settings, we should first discuss how Nat works.
In the introduction section, we have mentioned a NAT application instance. From this instance, we can see that Nat and firewall are integrated. In other words, Nat is a firewall. Nat is a subset of the firewall.
In this section, we will discuss the principles of NAT in depth. To better understand Nat, we will use the rfc3022 document published by the Internet Standardization Organization.
There are three types of NAT: static Nat, network address and port translation DNAT (destination-Nat), and dynamic address NAT (pooled Nat ). We mainly discuss the first two types of Nat.
The static NAT solution is to use an internal address in the internal network and translate the internal address into a valid IP address on the Internet through NAT, the specific method is to replace the address domain in the IP package with a valid IP address. The NAT device maintains a status table (route table, so Nat is also called a soft route) to map illegal IP addresses to valid IP addresses. Each packet is translated into a correct IP address in the NAT device and sent to the next level, which means a certain burden on the processor. However, for a general network, this burden is negligible.
The translation of network address ports to Nat is also called reverse Nat. The solution is: in an internal network, a computer with an internal address opens a network service (80, 21, etc ), when an external IP address wants to access these services, NAT Gateway translates the external IP address into an internal IP address, that is, It maps the internal services to a valid IP address and port, provided for external access.
If you want to learn more about how Nat works, Nat is actually an IP packet fraud. It can also be said to modify the IP header. See the following table.
4-digit version
Four-digit Header Length
8-bit service type
16-bit total length (bytes)
16-bit ID
3-digit flag
13-bit offset
8-bit TTL)
8-bit Protocol
16-bit header checksum
32-bit source IP address
32-bit destination IP address
Other options
Carrying data
Fields in the IP packet format and header
The NAT Gateway (inside 192.168.0.1) receives the IP address data from the client (192.168.0.2) in the local LAN, first checks whether it is from the local subnet. If it passes, then, the local route table is searched for and forwarded according to her destination IP address. Nat converts the 32-bit source address 192.168.0.1 to 202.204.208.5 before the packet is sent forward. Correspondingly, IP packets are converted based on the same address when going back.
2.2.2 Nat settings
Now that we know the principles of NAT, We can configure Nat. We have mentioned that Nat is a firewall, and the firewall iptables is built under Red Hat 9.0.
After configuring the network, if you want to enable the client (Win98) to access the Internet through the server (static Nat), you can directly enter
Iptables-T Nat-A postrouting-O eth1-j snat-to 202.204.208.5
Note:
-T nat: Call the NAT table. Calling this table indicates that a new connection package is generated.
-A: This command attaches a rule to the end of the chain.
Postrouting: specifies the rules to change when a legitimate information package intends to leave the firewall.
-O eth1: the output interface is eth1.
-J snat: A jump is also called a trigger condition. A jump occurs when the SNAT rule is met.
The entire statement means that when the firewall encounters a new connection package, it will change its source IP address to 202.204.208.5 when it wants to leave the firewall and send the package out of eth1.

After specifying a NAT rule, you must enable the IP forwarding function:
Echo 1>/proc/sys/NET/IPv4/ip_forward
In this way, the client can access the Internet through 208.5.

For example, if port 80 Web Service is opened on client 192.168.0.2 of 208.5, how can we allow external access to services in this lan?
In this case, DNAT (also called reverse Nat, port jump) is used, and the following command line is used:
Iptables-T Nat-A prerouting-I eth1-D 202.204.208.5-P TCP-dport 80-J DNAT-to-destination 192.168.0.2: 80
Statement Description: When the TCP protocol of the eth1 interface is used to access port 80 of port 202.204.208.5, a jump is triggered to jump to port 80 of 192.168.0.2 of the LAN.
However, there is also a problem. machines in the same LAN cannot access port 80 of 202.204.208.5. The following are the reasons:
Suppose 192.168.0.3 does not use the http: // 192.168.0.2: 80 method to access the host? /A>
Run the following command line:
Iptables-T Nat-A postrouting-p tcp-s 192.168.0.0/24-D 192.168.0.2/32-j snat-to 192.168.0.1
Statement explanation: When an IP address in the range of 192.168.0.1-255 accesses the IP address 192.168.0.2, the source IP address is changed to 192.168.0.1 when the data packet leaves, which is equivalent, nat translation is performed again. The local area network uses 192.168.0.1 as forwarding instead of directly communicating, which avoids the inability to access the internal IP address of the local area network.

Currently, the NAT Function has been implemented, but the packet is not filtered.

Iii. Network Attacks and firewalls
3.1 What is cyber attack
When the chaotic Internet is connected to your good, orderly Linux server network, you 'd better know what can enter your door. In this case, we need to develop a packet filtering policy. Since it is packet filtering, We must filter out packets that are harmful to the network or are useless. But which packages are harmful? Since we are defending, we may wish to hear the ideas of the enemy.
As a sophisticated intruder, he will not blindly launch attacks and intrusions. He will first determine his own goals. Of course, there are two methods to determine the target, first, the goal is determined based on personal views of good and evil, and second, based on the feedback from the broad scanner (simple feedback results but fast scanning, select the network with low overall security as the attack target.
The next thing you need to do is to understand the network server. Just like interacting with people, the more you know about that person, the more you know the weakness of that person, and the more fatal you will be to it. Understanding people through conversations, understanding the server through scanning, first of all to determine what services are available on this server, this is very simple, through three handshakes of the TCP protocol:
1. When the requester sends a TCP packet containing the SYN sign to the server port to be scanned, this packet indicates the port used by the client and the initial port of the TCP connection.
2. The server receives the SYN Packet greeting from the client. If the client requests a connection port, a SYN + ACK message is returned, indicating that the client request is accepted. At the same time, the TCP serial number is added. After receiving the SYN + ACK packet, the scanner reports to the intruder that the port is opened, so that the attacker can determine what the service is.
3. The client also returns an ACK message to the server, and the TCP serial number is also added to this TCP connection.
4. If the server's port does not exist or no SYN + ACK packet is returned, the scan end sends a FIN flag packet to cancel the TCP connection.

After determining the port opened by the server, experienced intruders can determine the specific service opened by the server from the port, and then conduct vulnerability attacks or intrusions according to different services.

From the above attack steps, it is very important not to expose the server to the network completely, that is, to filter the port first, only allow the specified service to pass through the firewall through the specified port. This leads to one of the basic rules for configuring Internet firewall rules stipulated by rfc2979:
What is not allowed is forbidden.
Based on this rule, the firewall should block all information flows and then open them to the desired services one by one. This is a very practical method that can create a very safe environment, because only carefully selected services are allowed for practical use.

3.2 how to defend against Network Attacks
From the above example, we only set up the Web Service to use the standard port 80.
Then we need to configure the following settings in the firewall:
Iptables-P input-J drop # We use-P to intercept all communications on the host.
Iptables-A input-p tcp-dport 80-J accept # Open the TCP protocol of port 80
If we need to add appropriate ports in the future, we can add them one by one in the format of the above sentence.

In this way, we implement the port filtering function for the network server host, this method only reduces the fear of being attacked. miscellaneous? And also define firewall policies.
1. Ping to death (Ping of death)
Ping, this software is used to test whether the network is smooth. It is applied to the ICMP protocol, but does not depend on which port, because in the early stage, the maximum size of the packet is limited by the router. Many operating systems require 64 KB to implement the TCP/IP stack on the ICMP packet. After reading the packet header, generate a buffer for the payload based on the information contained in the header. When malformed packets are generated, the packages that claim their size exceeds the ICMP upper limit are loaded with a size greater than 64 KB, A memory allocation error occurs, causing the TCP/IP stack to crash and the receiver to become a machine.
To solve this problem, we can add the following content to the firewall:
Iptables-A input-p icmp-type echo-request-I eth1-J Drop
The meaning of this sentence is that all ICMP requests from the eth1 interface are discarded.

2. SYN Flood (denial of service attack)
SYN flood is one of the most popular denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks. It is a TCP protocol defect that can be used to send a large number of forged TCP connection requests, in this way, the attacked party consumes resources.
The TCP three-way handshake has been mentioned before. The problem lies in the three-way handshake of the TCP connection. Assume that a user suddenly crashes or loses connection after sending a SYN packet to the server, the server cannot receive the ACK packet from the client after sending the SYN + ACK response packet (the third handshake cannot be completed ), in this case, the server will try again (send the Sky + ACK to the client again) and wait for a while to discard the unfinished connection. The length of this time is called (syn timeout ), generally, this time is in minutes (half minutes-2 minutes). If a user encounters an exception, it is not a big problem that a server thread waits for one minute, however, if a malicious attacker simulates this situation in large numbers, the server will consume a lot of resources to maintain a very large semi-connection list-tens of thousands of semi-connections, even simply saving and traversing will consume a lot of CPU resources and time, not to mention constantly retrying the IP addresses in this list with SYN + ACK. In fact, if the server's TCP/IP stack is not powerful enough, the final result is often a stack overflow crash-even if the server's system is powerful enough, the server will also be busy processing the attacker's forged TCP connection requests without ignoring legitimate requests (the client's normal requests are much smaller than illegal requests). In this case, from the perspective of normal connections, the server has lost its response, which is called a flood attack.
In terms of defense, the syn-Timeout time can be shortened. Because the effect of SYN flood attacks depends on the number of SYN semi-connections maintained on the server, this value is equal to the SYN attack frequency * SYN timeout, therefore, server load can be reduced by shortening the time from receiving Syn packets to setting up the cultural relics School and discarding the connection.
You can run the following statement in iptables:
Iptables-a forward-p tcp -- syn-m limit -- limit 1/S-J accept

After all iptables rules are set, you can use $ iptables-save> iptables-script to write all the rules to the file, and then write them to the file in/etc/rc. d/RC. local
Add: iptables-Restore iptables-script
In this way, the system automatically loads the rules set by iptables every restart.

[Conclusion]
This design implements proxy and network firewall applications for Linux servers in the LAN, and extensively uses the firewall iptables in Linux. In addition, the TCP/IP protocol is thoroughly explained, and the typical attack methods of the network are clearly described. It proves that Linux has a sufficient way as a network gateway server, not only is the system strong, but also has a strong configuration. We hope to provide new ideas for the majority of students who like network and network management.