As a mechanism to enforce access control between networks or systems, firewall is an important means to ensure network security. You can customize different firewall systems based on different requirements and application environments. The firewall can be large enough to consist of several routers and bastion hosts, or small to the packet filtering function provided by a firewall software package on the network operating system.
Among many network firewall products, the firewall software on Linux operating systems has significant features. First, the Linux operating system, as a Unix-like network operating system, has unique advantages in terms of system stability, robustness, and low price. More importantly, Linux not only completely opens the source code, but also contains all the service software packages required to establish an Internet network environment, such as Apache Web server, DNS server, Mail server, and Database server. Similarly, Linux-based firewall software not only has powerful functions, but most of them are open software.
With the rapid development of the Internet, security issues become more and more important. Using Linux to build a corporate network is favored by small and medium-sized enterprises, and using Linux to build a corporate network firewall system has become an ideal choice for many small and medium-sized enterprises.
The Linux kernel has been available for package filtering since version 1.1. In kernel 2.0, Ipfwadm is used to operate the kernel's packet filtering rules. By Version 2.2, the Linux kernel uses Ipchains to control kernel packet filtering rules. When it develops to 2.4.x, Ipchains is replaced by Iptables, a brand new package filtering management tool. The new version 2.6 kernel has also been improved in terms of security. Therefore, no matter which version of Linux kernel you have, no matter which version of Linux you choose to build your own enterprise network, you can use the existing system to build an ideal and practical firewall.
The firewall system can be divided into three basic types: package filter, application gateway, or proxy server firewall. The firewall software package provided by Linux is built into the Linux kernel and is a firewall Implementation Technology Based on packet filter. The central idea is to control the flow of packets based on the source address, destination address, and package type information in the network layer IP address header. The more thorough filtering is to check the source port, destination port, connection status, and other information in the package.
This article mainly introduces the Linux IPFW, Ipchains, Iptables, which are very useful firewalls and specific implementations.
IPFW Firewall
IPFW is a firewall software package provided by older Linux kernel versions. The full name of this software package is Ipfwadm. The Ipfwadm package provides the ability to establish rules based on these rules to determine which packages are allowed to access the network. To put it simply, the firewall is a pair of switches. One switch allows packets to pass, and the other switch disables packets to pass. Modern firewall systems generally include multiple functions such as audit tracking, encryption and authentication, address camouflage, and VPN. As a security switch, the firewall can define two security policies:
1) All unpermitted items are prohibited;
2) All unbanned items are allowed.
Obviously, the security of Policy 1 is significantly higher than that of Policy 2, but it increases security at the cost of flexibility and accessible resources. The Ipfwadm system also provides IP encapsulation, which allows users to use a public IP address space on the Internet.
The following uses the Red Hat system as an example to describe the implementation of IPFW firewall on Linux.
Install the Ipfwadm firewall on the Red Hat system on other systems. Log On As the root user and run the following command:
# Rpm-ivh/mnt/cdrom/RedHat/RPMS/Ipfwadm-2.3.0-5.i386.rpm
After Ipfwadm is installed, you can specify Ipfwadm packet filtering rules in interactive mode. The filter rule checks Each IP packet that enters the system to determine which packets are allowed to pass through the firewall and which packets are not allowed to pass. The common format of the Ipfwadm command is:
/Sbin/ipfwadm category commands parameters [options]
IpchainsIP chain) and IP camouflage
In the updated Linux kernel, Ipchains replaces Ipfwadm and provides a more rigorous packet filtering control mechanism. Ipchains provides complete firewall functions, including packet filtering, address disguise, and transparent proxy.
The Ipchains provided in the Linux 2.2 kernel provide firewall rule control through the list of four types of firewall rules. These lists are called firewall links. These are IP input chain), IP output chain), IP forward chain IP Forwarding chain), and user-defined chain ). A chain is actually a rule table. The so-called rule, that is, when the checked packet header meets the rule definition, it will be processed according to the pre-set. An input chain is a filtering rule for internal connection requests, an output chain is a filtering rule for external connection requests, and a forwarding chain is a filtering rule for internal and external communication packets; user-Defined links are user-defined rules.
When a packet enters the Linux Firewall System, the Linux kernel uses the input chain to determine the operation on the packet. If the packet is not discarded, the kernel uses the forwarding chain to determine whether to forward the packet to an exit. Before the packet arrives at an exit, the kernel uses the output chain to determine whether to discard the packet or forward the packet. In the above process, if the input chain has decided to process this package, the core needs to decide where the next package should be sent, that is, routing. If the packet is sent to another host, the core uses the forwarding chain. If no matching setting is found, the packet needs to enter the next chain specified by the target value, the target value may be a user-defined chain or a specific value. For example:
ACCEPT is allowed.
DENY is discarded directly.
The REJECT discards and sends an ICMP reply to notify the sender that the packet is discarded.
The MASQ notification core disguise the packet. This value only applies to the forwarding chain and user-defined chain.
REDIRECT notifies the core to change the packet to a local port. This value only applies to the input chain and user-defined chain, and can only be used by UDP and TCP Protocols. RETURE notifies the kernel to skip all rules of the package and directly reach the end of all chains.
You can configure IP Spoofing on the IP address chain forwarding link in Linux. In fact, IP spoofing is a safer solution than the packet filtering policy. It not only provides a security mechanism, but also solves the problem of insufficient IP Address Resources in the Internet. IP spoofing allows a computer to disguise its real IP address as another address when accessing the Internet. If a host connected to the Internet has an IP disguised function, the host can be connected to the Internet either through a LAN or through PPP dialing. Although such a host does not have its own formal IP address when using PPP. This means that a host can be hidden behind a gateway to access the Internet. This allows the host to access the Internet and gain invisible access to the outside world ). Obviously, this kind of concealment makes the system very secure. Because the outside world cannot realize the existence of the host, it is impossible to perform access operations on the host, not to intrude into and crack the host. Generally, the private address reserved by IANA is used for disguise.
When a host on the internal network sends an IP packet to the Internet, the kernel replaces the source IP address with the IP address of the gateway, record the disguised IP address and then forward the packet. When the Internet response packet of this package enters the gateway from the Internet, the Kernel performs the operation to remove the IP disguised, replacing the destination address with the internal address.
Through proper settings, IP spoofing can be implemented on a certain network segment, a host, an interface, a protocol, or even some ports of a specific protocol, which is very flexible. IP spoofing can block the details of the internal network from the external network. Therefore, IP spoofing provides good security.
Generally, when you install a Linux System of the corresponding version, the system automatically installs Ipchains. If the system does not install the IP link software package, you can download the software package from the CD or the Internet.
Run the following command to install the rpm package:
# Rpm-ivh *. rpm
If it is a .tar.gz package, you must first decompress the package:
# Tar xvfz * .tar.gz
Then run the following command in the decompressed directory to complete installation:
#./Configure
# Make
# Make install
In this way, the IP link firewall is successfully installed in the system. After Ipchains is successfully installed, start and configure the packet filtering rules. To enable Ipchains, you must complete the following operations:
◆ Manually modify the/proc/sys/net/ipv4/ipforward file and set its content to 1.
◆ Run the touch command in the/etc/rc. d/directory to create the rc. ipfwadm file.
◆ Add the following code to the rc. local file in the/etc/rc. d directory:
If [-f/etc/rc. ipfwadm]; then/etc/rc. d/rc. ipfwadm; fi;
In this way, all the configuration commands of Ipchains will be modified in the rc. ipfwadm file.
Like IPFW, Ipchains also filters packets based on configuration policies. The following two methods are used:
1) Allow all packages to pass, and then prohibit dangerous packages;
2) deny all packages first, and then allow a specific package to pass through according to the required service.
Iptables
Iptables is a tool for managing kernel package filtering. You can add, insert, or delete rules in the core package filtering table. In fact, Netfilter is actually used to execute these filter rules. Netfilter is a general architecture at the core of Linux. It provides a series of tables. Each table is composed of several chains, and each chain can contain one or several rules).
Figure Netfilter's overall structure
Compared with the IP chain provided by the 2.2 kernel, the 2.4 kernel provides better flexibility and scalability. The firewall in the 2.4 kernel is not a simple enhancement of the 2.2 kernel, but a complete re-implementation. The firewall software package provided by the 2.4 kernel has undergone great structural changes. Compared with the IP chain, the Iptables Detection Points provided by the 2.4 kernel are changed to five, and the functions to be processed are registered on each detection point, and registered through nf-register-hook) the function is saved in the global variable nf-hook. When the package reaches this detection point, the registration function is executed at the predefined priority level. Compared with the IP chain provided by the 2.2 kernel, Iptables not only implements the packet filtering function, but also implements a complete framework structure through Netfilter. On this framework, it implements packet filtering, NAT, and other module functions, this provides better scalability and flexibility.
The default table is filter, which contains the INPUT chain), FORWARD chain (FORWARD chain), and OUTPUT chain ). One or more rules can be defined in each chain. Each rule is defined in the following format: condition/processing method.
When a packet arrives at a chain, the system checks from the first rule to see if it meets the conditions defined by the rule. If yes, the system will process the data packet according to the method defined by the rule. If not, the system will continue to check the next rule. If the packet does not comply with any rule in the chain, the system processes the packet based on the pre-defined policy of the chain.
Like the preceding two software packages, Iptables and Netfilter are also built into the Linux kernel. You can compile the corresponding software packages into the kernel to install Iptables firewall. The Netfilter framework can be implemented in kernel 2.3.5 and later versions. When re-compiling a software package into the kernel, You must select a project related to Netfilter. These items are usually located under the "Networking options" subitem. Taking the 2.4.0 kernel as an example, the selected items include:
[*] Kernel/User netlink socket [] Routing messages <*> Netlink device emulation [*] Network packet filtering (replaces ipchains) in "IP: netfilter Configuration ----> select the following options: <M> Connection tracking (required for masq/NAT) <M> FTP protocol support <M> IP tables support (required for filtering/masq/NAT) <M> limit match support <M> MAC address match support <M> Netfilter MARK match support <M> Multiple port match support <M> TOS match support <M> Connection state match support <M> Packet filtering <M> REJECT target support <M> Full NAT <M> MASQUERADE target support <M> REDIRECT target support <M> Packet mangling <M> TOS target support <m> MARK target support <M> LOG target support <M> ipchains (2.2-style) support <M> ipfwadm (2.0-style) support
|
The last two items can be deselected. If you select them, you can use Ipchains or Ipfwadm in the 2.4 kernel. It should be noted that Iptables and Ipchains/Ipfwadm are relatively independent, and Ipchains/Ipfwadm cannot be used simultaneously when Iptables is used. After selecting the required options, you can perform the compilation operation. After compilation, these module files are located in the/lib/modules/2.4.0/kernel/net/ipv4/netfilter directory.
When compiling the new Kernel 2.4.0, you should also note that you should select the correct CPU option corresponding to the CPU used in "Processor type and features". Otherwise, the new kernel may not work properly.
After Iptables is successfully installed, you cannot directly use Iptables. You must also load the relevant modules. Run the following command to load the relevant modules:
# Modprobe iptable_tables
The modprobe command automatically loads the specified module and its related modules. The iptables_filter module is automatically loaded at runtime.
Iptables is actually a tool for filtering rules. The Iptables tool allows you to operate the links and rules in Netfilter. Iptables uses the same syntax and command format as the IP link. In addition to chain and rule operations, Iptables also provides other operations. For example, you can use -- source/-- src/-s to specify the source address, -- destination/-- dst/-s to specify the destination address, and -- protocol/-p to specify the protocol, for example,-p tcp; Use -- in-interface/-I or -- out-interface/-o) to specify network interfaces and IP fragments. The related syntax is not described here. You can obtain related content from the HOWTO document.