Hybrid NAT and firewall applications in Linux (very practical)

Source: Internet
Author: User
Linux-based NAT and firewall hybrid applications (very practical)-Linux Enterprise applications-Linux server application information, the following is a detailed description. 【Abstract]
It mainly describes NAT (Network Address Translation) and NAT-based firewall technology in Linux.
First, it is introduced by the installation of the Linux system. It focuses on the NAT network configuration (server and client) in LINUX and the firewall configuration principles.
Secondly, theoretically, we will explain what NAT is and the attack methods on the network.

[Introduction]
With its stability, security, and code openness, LINUX has become a popular tool in the world over the past few years. As a UNIX system

From scientific computing to cash machines, from web services to high-level Oracle database applications. You can see

Shadow. Since Linux complies with the GPL protocol (public software license), anyone can obtain and modify its source code, so its security

It is much higher than other non-open-source systems, and it can be downloaded from the network for free. From these two points, it is very suitable for Network Information

Gateway (soft routing or gateway) and self-built firewall (in fact, domestic hardware firewall vendors use industrial X86 hardware and linux for their products,

Although it is not really a hardware firewall ). Nowadays, the School pays too much attention to the software and development tools on windows and windows platforms.

Learning. However, the students did not realize that the UNIX system really supported the Internet. From my perspective on Linux, I showed you the UNIX system.

The central corner.
What is NAT?
Network Address Translation (NAT) is an IETF standard that allows a single organization (including multiple

Network nodes. NAT converts the addresses of each LAN node into one IP address, and vice versa. It can also

By applying it to the firewall technology, you can hide individual IP addresses without being discovered by the outside, making them unable to directly access internal network devices. At the same time, it also

The help network can reasonably arrange the use of public and private IP addresses in the network beyond the address restrictions.
Why NAT?
Assume that the campus network provides campus Internet access services. To facilitate management, the IP addresses assigned to campus users by the campus network center are all pseudo IP addresses.

(Internal ip address), but some users require to create their own WWW server to publish external information. In this case, we can use NAT to provide

. We can bind multiple valid IP addresses or ports to the external network card of the firewall, and then send them to

IP address packets are forwarded to a user's WWW server, and then the response packet of the internal WWW server is disguised as the packets sent by the legitimate IP address.

Tutorial Environment
All the lab environments used in this article are as follows:
LINUX host (server): Dual Nic REDHAT 9.0 host Name: host
WINDOWS 98 host (client): single Nic Host Name: test
One Lenovo D-link 8 port 10 M/M Switch

[Body]
Network Topology:


I. Installation and attention of RED HAT 9.0
Linux is an independent operating system, so it cannot be installed in other operating systems. It has its own startup method and can be

The following two methods are used for installation.
● Installation from CD-ROM
● Install from the FTP server
Since the Linux system is installed (the first method) and there is a random reference manual, it is not very difficult, so we will focus on the installation from ftp.
Create a boot disk before installation:
1. In the windows operating system, place the installation disk into the optical drive;
2. Run e: \ dosutils \ rawrite.exe (the e drive is an optical drive)
3. Enter e: \ images \ bootnet. img in the running interface.
4. Specify the target disk and enter the user's floppy disk:
In this way, the boot disk of the installer is created.
 
Use a floppy disk to boot the computer. after entering the blue interface, enter the FTP server address and the ftp user name and password to install it.
The installation interface of red hat 9.0 is Chinese. The installation instructions can be customized.

When/swap (swap partition) is twice the memory size; since it is a NAT gateway,/var (log partition)

A single split should not be less than 500 mb. There is ample space to store logs, which is well documented for future system faults or attacks.
Ii. LINUX network settings and NAT principles
2.1 network settings
After the Linux system is installed, the entire platform is set up, but the network needs to be set; Before the network is set, or

Before enabling linux to access the Internet, you should turn off services unrelated to this server.
You can press "setup" in the command line and press Enter. A text menu is displayed, which contains "System Service" and is directly canceled with the Space key.

Check the service and restart the system.
If you are a skilled UNIX user, you can cancel the service without restarting it.
Ps aux

All services running in the background are displayed.
Kill-9
(-9 indicates force killing a process) to kill the process.
Then go to the/etc/sysconfig/network-scripts/directory.
Vi ifcfg-eth0 displays the following content
Device = eth0
Onboot = yes
Bootproto = none
IPADDR = 192.168.0.1 # (intranet Nic iP address)
Netmask = 255.255.255.0
TYPE = ETHERNET
USERCTL = NO
PEERDNS = NO
NETWORK = 192.168.0.0 (NETWORK number)
Broadcast = 192.168.0.255 (Broadcast number)
The above settings mean: eth0 Intranet Nic, IP Address: 192.168.0.1, subnet mask: 255.255.255.0;

Vi ifcfg-eth1 displays the following content
Device = eth1
Onboot = yes
Bootproto = none
IPADDR = 202.204.208.5 # (Internet Nic iP address)
Netmask = 255.255.255.255.128
TYPE = ETHERNET
USERCTL = NO
PEERDNS = NO
NETWORK = 202.204.208.0 (NETWORK number)
Broadcast = 202.204.208.127 (Broadcast number)
The preceding settings mean that eth1 is an external internet Nic and the IP address is 202.204.208.5.
The NIC settings are complete.


Add the ip address and name of the nat Client
Vi/etc/hosts
Format:
IP address Host Name
127.0.0.1 host

Intranet Gateway
Vi/etc/sysconfig/network
Gateway = 202.204.208.7)

Set DNS Server
Vi/etc/resolv. conf
Format:
Nameserver IP Address
Nameserver 202.106.196.115
After all settings are complete, restart the system and run
Route-a # Check the route table to see if the default gateway is 202.204.208.7
If yes, all network configurations on the server have been completed.

The following figure shows the network configuration of the client.
Because it is a Windows 98 system, only configuration parameters are provided. The configuration method is omitted.
The IP address is 192.168.0.2.
Subnet Mask: 255.255.255.0
Domain Name Server: 202.106.196.115
Gateway: 192.168.0.1
All network settings complete

2.2 NAT principles
2.2.1 before entering the NAT settings, we should first discuss how NAT works.
In the introduction section, we have mentioned a NAT application instance. From this instance, we can see that NAT and firewall are integrated. In other words,

NAT is a firewall. NAT is a subset of the firewall.
In this section, we will discuss in depth the principles of NAT. To better understand NAT, we use RFC3022 published by the INTERNET Standardization Organization.

File.
There are three types of NAT: Static NAT, network address and port conversion DNAT (destination-NAT), Dynamic Address

NAT (Pooled NAT ). We mainly discuss the first two types of NAT.
The static nat solution is to use an internal address in the internal network and translate the internal address into a valid IP address through NAT.

When using the IP address on the Internet, replace the address domain in the IP address package with a valid IP address. NAT device maintains a status table

(Route table, so NAT is also called a soft route), which is used to map illegal IP addresses to valid IP addresses. Each package is in the NAT device

Are translated into the correct IP address and sent to the next level, which means it brings a certain burden to the processor. However, for general networks,

This burden is negligible.
The translation of network address ports to NAT is also called reverse NAT. The solution is: in the internal network, the computer that uses the internal address opens

Network Services (80, 21, etc.). When an external ip address wants to access these services, the NAT Gateway translates the external ip address into an internal ip address, that is

Services opened by the Department are mapped to a valid ip address and port for external access.
If you want to learn more about how NAT works, NAT is actually an IP packet fraud. It can also be said to modify the IP header. See the following table.
4-digit version
Four-digit Header Length
8-bit service type
16-bit total length (bytes)
16-bit ID
3-digit flag
13-bit offset
8-bit ttl)
8-bit Protocol
16-bit header checksum
32-bit source IP address
32-bit destination IP address
Other options
Carrying data
Fields in the IP packet format and header
NAT Gateway (inside 192.168.0.1) receives ip data from clients (192.168.0.2) in the local LAN,

First, determine whether it is from the local subnet. If it passes, search for the local route table based on her destination IP address for forwarding.

Convert the 32-bit source address 192.168.0.1 to 202.204.208.5. Correspondingly, IP packets are converted based on the same address when going back.
2.2.2 NAT settings
Now that we know the principles of NAT, We can configure NAT. We have mentioned that NAT is a firewall.

IPTABLES with Firewall
After configuring the network, if you want to enable the client (win98) to access the Internet through the server (static NAT), you can directly

Input
Iptables-t nat-a postrouting-o eth1-j SNAT-to 202.204.208.5
Note:
-T nat: Call the NAT table. Calling this table indicates that a new connection package is generated.
-A: This command attaches A rule to the end of the chain.
POSTROUTING: specifies the rules to change when a legitimate information package intends to leave the firewall.
-O eth1: the output interface is eth1.
-J SNAT: A jump is also called a trigger condition. A jump occurs when the SNAT rule is met.
The entire statement indicates that when the firewall encounters a new connection package, it changes its source ip address

202.204.208.5 and sent from exit eth1.

After specifying a nat rule, you must enable the ip forwarding function:
Echo 1>/proc/sys/net/ipv4/ip_forward
In this way, the client can access the Internet through 208.5.

Assume that the 208.5 client 192.168.0.2 opens a web service with port 80, how can we allow external access to this

What about internal LAN services?
In this case, Dnat (also called reverse NAT, port jump) is used, and the following command line is used:
Iptables-t nat-a prerouting-I
Eth1-d 202.204.208.5-p tcp-dport 80-j DNAT-to-destination 192.168.0.2: 80

Statement Description: When the tcp protocol of the eth1 interface is used to access port 80 of port 202.204.208.5,

The jump is triggered and directed to port 80 of 192.168.0.2 of the LAN.
However, there is also a problem. machines in the same LAN cannot access port 80 of 202.204.208.5. The following are the reasons:
Suppose 192.168.0.3 is not input in the command line:
Iptables-t nat-a postrouting-p tcp-s 192.168.0.0/24-d 192.168.0.2/32-j SNAT-to 192.168.0.1

Statement explanation: When the ip address in the range of 192.168.0.1-255 accesses the ip address 192.168.0.2, the source ip address is modified when the data packet leaves.

It is 192.168.0.1, which is equivalent to a NAT translation in the LAN. The LAN uses 192.168.0.1 for forwarding, instead

Direct communication prevents access to the internal ip address of the LAN.

Currently, the nat Function has been implemented, but the packet is not filtered.

Iii. Network Attacks and firewalls
3.1 What is cyber attack
When the chaotic Internet is connected to your good, orderly Linux server network, you 'd better know what to access

Your door. In this case, we need to develop a packet filtering policy. Since it is packet filtering, We must filter out packets that are harmful to the network or are useless,

But which packages are harmful? Since we are defending, we may wish to hear the ideas of the enemy.
As a sophisticated intruder, he will not blindly launch attacks and intrusions. He will first determine his own goals, of course, determine the target party.

There are two methods: one is to determine the goal based on the personal good or evil or aesthetic view, and the other is based on the generalized scanner (the feedback results are simple, but fast

The scanner), and select the network with low overall security as the attack target.
The next thing you need to do is to understand the network server. Just like interacting with people, the more you know that person, the more you know about his weakness,

Thus, the more deadly you will be to it. Understanding of people through conversations, understanding of servers through scanning; first of all, determine this service

It is very easy to use the three handshakes of the tcp protocol:
1. When the requester sends a TCP packet containing the SYN sign to the server port to be scanned, this packet indicates the port used by the client and

The initial port of the TCP connection.
2. The server receives the SYN Packet greeting from the client. If the client requests a connection port, a SYN + ACK packet is returned.

Indicates that the client request is accepted. At the same time, the TCP serial number is added. After receiving SYN + ACK packets, the scanner reports to the intruders and scans the packets.

This port is opened so that intruders can determine what service it is.
3. The client also returns an ACK message to the server, and the TCP serial number is also added to this TCP connection.
4. If the server's port does not exist or the SYN + ACK packet is not returned, the scan end sends a FIN flag packet to cancel

TCP connections.

After determining the port opened by the server, experienced intruders can determine the specific service opened by the server from the port, and then

Vulnerability attacks or intrusions are carried out according to different services.

From the above attack steps, it is very important not to expose the server to the network completely, that is, to filter the port first and only allow

Make the specified service pass through the firewall through the specified port. This introduces the basic rules for configuring Internet firewall rules stipulated by RFC2979.

One:
What is not allowed is forbidden.
Based on this rule, the firewall should block all information flows and then open them to the desired services one by one. This is a very practical method,

This can create a very safe environment, because only carefully selected services are allowed to be used.


3.2 how to defend against Network Attacks
From the above example, we only set up the web Service to use the standard port 80.
Then we need to configure the following settings in the firewall:
Iptables-p input-j DROP # We use-P to intercept all communications on the host.
Iptables-a input-p tcp-dport 80-j ACCEPT # Open the tcp protocol of port 80
If we need to add appropriate ports in the future, we can add them one by one in the format of the above sentence.

In this way, we have implemented the port filtering function for the network server host. This method only reduces the attack, but also needs to be customized separately.

Set firewall policies.
1. ping to death (ping of death)
Ping, this software is used to test whether the network is smooth. It is applied to the icmp protocol, but does not depend on which port, because in the Early Stage

The maximum size of the packet is limited by the router. Many operating systems require 64KB to implement the TCP/IP stack on the ICMP packet.

After the packet header is read, a buffer is generated for the payload based on the information contained in the header. When malformed

If the size of a packet exceeds the ICMP limit, that is, when the size of the package exceeds 64 KB, a memory allocation error will occur, resulting in a TCP/IP stack crash,

Cause the recipient to become a machine.
To solve this problem, we can add the following content to the firewall:
Iptables-a input-p icmp-type echo-request-I eth1-j DROP
The meaning of this sentence is that all icmp requests from the eth1 interface are discarded.

2. SYN Flood (denial of service attack)
SYN Flood is one of the most popular denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks,

Send a large number of forged TCP connection requests, so that the attacked party's resources are exhausted.
The TCP three-way handshake has been mentioned before. The problem lies in the three-way handshake of the TCP connection. Assume that after a user sends a SYN packet to the server

The server cannot receive the ACK packet from the client after sending the SYN + ACK response packet. The third handshake cannot be completed)

In this case, the server will try again (send the SKY + ACK to the client again) and wait for a while to discard the Unfinished Connection.

The length is called (SYN Timeout). Generally, this time is in minutes (half minute-2 minutes). An exception occurs for a user.

A server thread waits for 1 minute is not a big problem, but if a malicious attacker simulates this situation in large numbers, the server side

It will consume a lot of resources to maintain a very large semi-join List-tens of thousands of semi-connections, even if it is simply saved and traversed.

It will consume a lot of CPU resources and time, not to mention the need to constantly retry the IP addresses in this list with SYN + ACK. In fact, if the server's TCP/IP

The stack is not strong enough, and the final result is often a stack overflow crash-even if the server system is strong enough, the server will be busy dealing with attackers

The forged TCP Connection Request ignores the valid request (the normal request of the client is very small compared with the illegal request ).

In this case, the server has lost its response, which is called a flood attack.
In terms of defense, the SYN-Timeout time can be shortened. Because the effect of syn flood attacks depends on the number of SYN semi-connections maintained on the server,

This value is equal to the frequency of SYN Attacks * SYN Timeout. Therefore, by reducing the number of received SYN packets to correct the reported cultural relics and discarding the connection

Time to reduce the load on the server.
You can run the following statement in IPTABLES:
Iptables-a forward-p tcp -- syn-m limit -- limit 1/s-j ACCEPT

After all IPTABLES rules are created, you can use $ iptables-save> iptables-script to write all the rules to the file.

In/etc/rc. d/rc. local
Add: iptables-restore iptables-script
In this way, the system automatically loads the rules set by iptables every restart.

[Conclusion]
This design implements proxy and network firewall applications for Linux servers in the LAN, and extensively uses the firewall iptables in Linux.

In addition, the TCP/IP protocol is thoroughly explained, and the typical attack methods of the network are clearly described. Verify that Linux is used as a network gateway Server

There is a sufficient way, not only the system is strong, but also the configuration is strong. We hope to provide new ideas for the majority of students who like network and network management.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.