Implement router and packet filtering firewall in Linux
Router and Firewall]
Vro is a widely used device between IP segments. There are many ready-made products on the market. In applications, we often connect routers across the WAN and lan. Most router products are designed based on this need. However, with the expansion of the user's IP network, we need a router that can address multiple Ethernet networks. The traditional router products occasionally have several dual-Ethernet network interfaces, however, such a product is especially expensive, and if it supports fast Ethernet applications, the price will be astronomical. layer-3 switches can implement such a function, however, layer-3 switches are not cheap either.
When a router is working, it queries its route table based on the destination IP address of the packet received by a port, and then decides to forward the packet to the corresponding port. There are several route tables for a vro: one is a route based on the IP address of each port of the vro and the subnet mask. This route is called a "fixed route "; the second is the system administrator's route to a subnet that needs to pass through a next-level router. This is called a static route "; in the network environment, let each vro broadcast its route information so that the routers can learn from each other. The learned route is called "dynamic routing ". The vro also forwards packets whose destination address is not in its route table to a preset IP address ". In the process of route matching, there are generally such priorities: fixed routes> static routes> dynamic routes> default routes.
The router will only view the destination address of the IP data packet. That is to say, in principle, the router will "accept all" and forward all data packets, unless it cannot be sent out. If you want the router to add a check when forwarding data packets, check the data packet source and the application layer service type required by the data packet, determine whether the data packet should be forwarded or processed according to the pre-designed rules, so that the router is no longer a router in a simple sense, it is a type of firewall-packet filtering firewall.
The packet filtering firewall can check the source, source port, Destination Address, destination port, and transmission layer protocol type of the data packet, and match a rule table according to the content of the checked item, when the rule table is defined, execute the rule table pre-defined. Generally, the rule table can define the following operations: accept (PASS), NAT (masq address translation), deny (discard), and reject (reject, at the same time, the "unavailable" message is sent to the source end ).
Of course, you can also buy out-of-the-box products that support the packet filtering firewall on the market, but the price issue is still an important factor that we have to consider. In particular, most products have many license and performance restrictions.
In addition to the price advantages of Linux, the Linux * system is born when an IP network is used. What's more attractive is its built-in powerful network functions, in addition to various Internet application services, linux also provides complete router and firewall functions. The system cost and function ratio brought by it are quite attractive. Why don't we try it?
[Preparations for Linux systems]
Compared with ready-made router products, we call such a router a "soft router". Of course, the performance of the router made in this way is definitely not inferior to that of the "Hardware Router, we only need to understand that many vrouters of the "25 ×" series only use the 25 m clock speed Motorola 68030cpu (performance equivalent to Intel 80386.
The hardware configuration requirements for Linux system hosts used as "software routers" are not too high. It is used as a route selection between the three or five local networks. If there are hundreds of computers, it is enough to choose a host with a Pentium 133 or above. Of course, the current market is not very expensive for Sai Yang 2, Pentium 4, or other CPUs. Configure 64 M memory, if conditions are met, it doesn't matter if you can configure it to MB. The hard disk should not be too large, otherwise it will be a waste.
The key lies in the configuration of network adapters. Linux supports Ethernet network adapters that can be seen in most markets. The installation of PCI cards is relatively simple, as long as the kernel supports, the system correctly identifies the number of cards at startup. The installation of the ISA card is not complex. For details, refer to my previous article.
Www.nyfzns.net www.520cat.com
The following figure shows the network interfaces that I have actually used:
★Intel etherexpress pro pci100m
★RealTek 8029/8139 PCI 10 m/100 m
★D-Link series (driven by Tulip 2114x) PCI 10 m
★Accton en1207 (using tulip 2114x driver) PCI 100 m
★3Com full series (PCI/ISA 10 m/100 m)
★AMD PC-NET 32 PCI 10 m
★Most ne2000 compatible NICs, such as topstar, dlink, accton, and sn2000
★Hardlink PCMCIA laptop dedicated Nic 10 m
Of course, Linux supports far more than these NICs.
There are several methods to mount the NIC Driver to Linux. The most common method is to use the modprobe system tool to mount a kernel module. For example, you can load a ne2000 compatible NIC driver as follows:
# Modprobe ne IO = 0x300
In fact, most PCI NICs do not need to specify the IO address range, just like loading an accton en1207c NIC:
# Modprobe tulip
Compiling the NIC driver to the Linux kernel is the most efficient method.
# Make menuconfig
Replace the "# Make config" mentioned in many old documents. In this way, a menu is displayed, and the driver of the specified network adapter is selected under the "Network Device" option in the menu, after compilation, you will get a complete Linux kernel that supports the corresponding Nic.
For many systems that can only recognize one network card, write the second and later network card parameters in/etc/Lilo. conf is the best practice. Here we have four NICs installed in one system, one is the RealTek 8139 of PCI, and the other three are ne2000, in this way, the system will not automatically recognize the three ISA cards after the 8139 Nic. We need to go to/etc/Lilo. add the following sentence to conf:
Append =-ether = 3, 0x240, eth1 ether = 11, 0x300, eth2 ether = 4, 0x260, eth3-
During the kernel compilation process, we can select "optimize as router not host" in the Network option, so that the system will be optimized based on the router instead of the host. At the same time, you can also select "Fast Switching", "forwarding between High Speed interfaces", and "Advanced Router" as needed ". If we plan to implement the packet filtering firewall on this machine, select "firewalling", "IP: Masquerading", and "ip masq.
For details about how to compile the kernel, see "Linux kernel howto ". Http://howto.fhlfox.dhs.org/online....what is the problem? /A>
Note that you can check the system prompt or use the dmesg command to check whether the system recognizes and starts the corresponding NIC Driver. In the example above, a realtek8139 Nic exists, we can see this situation on the machines with three ne2000 NICs:
Rtl8139.c: v1.07 5/6/99 Donald Becker http://cesdis.gsfc.nasa.gov/linux/drivers/r
Tl8139.html
Eth0: RealTek rtl8139 Fast Ethernet at 0x6000, IRQ 9, 00: E0: 4C: DD: 5f: 85.
Ne. C: v1.10 9/23/94 Donald Becker (becker@cesdis.gsfc.nasa.gov)
Ne * 000 ethercard probe at 0x240: 00 40 05 1f 60 9A
Eth1: ne2000 found at 0x240, using IRQ 3.
Ne * 000 ethercard probe at 0x300: 00 40 05 22 08 65
Eth2: ne2000 forund at 0x300, using IRQ 11.
Ne * 000 ethercard probe at 0x260: 00 40 05 23 59 0f
Eth3: ne2000 forund at 0x260, using IRQ 4.
Then configure the IP address of each network port. Of course, you can use * as the system dialog box to configure the parameters of the first Nic, but an experienced Network Administrator generally does not, because we cannot configure other NICs, we must use this command to configure the first NIC:
# Ifconfig eth0 10.3.3.3 netmask 255.255.255.0 broadcast 10.3.3.255
The second ENI is named eth1, and the others are eth2, eth3, and so on.
Due to the limitation of the computer architecture, there is only one PCI Controller on a general PC motherboard, while a PCI Controller can only support up to four PCI devices at the same time, of course, some dedicated servers may support more than two PCI controllers. The installation of the ISA Nic is limited by the system interrupt number. There are only 16 available IRQ numbers in a single CPU system, and there is not much hardware left after the hard disk, memory, keyboard, and display card, therefore, four cards are usually installed. Of course, the dual-CPU system can have 256 interrupt numbers available, which is much more plentiful.
In addition, we also need to turn on the IP Forwarding switch in Linux, which is very easy. Execute this command:
Echo 1>/proc/sys/NET/IPv4/ip_forward
Of course, these configuration commands should be put in/etc/rc. d/rc. Local, so that you do not need to reconfigure them after each boot.
[Implement vro in Linux]
After the network card and the corresponding IP address are correctly configured, the system automatically calculates the fixed route of the subnet connected to each port. In this example, we can see that:
You can run the "route-n" or "netstat-r-n" command to view the current route table of the system. In the example shown in Figure 2 on the right, we can obtain the following route table:
# Route-n
Kernel IP routing table
Destination gateway genmask flags metric ref use iface
10.3.2.4 0.0.0.0 255.255.255.252 u 0 0 0 eth0
10.3.2.128 0.0.0.0 255.255.255.128 u 0 0 0 eth3
10.3.253.0 0.0.0.0 255.255.255.0 u 0 0 0 eth2
172.16.0.0 0.0.0.0 255.255.0.0 u 0 0 0 eth1
The destination term indicates the destination network, and its size can be calculated using the subnet mask (genmask). The flags term indicates whether the network segment is directly connected. "U" indicates direct availability, metric is a level-1 hop, ref is a priority reference, and use interface is the connection port. The Gateway column specifies the address of the next-level router when other routers need to be forwarded.
You can also create or delete a static route by running the route command. The format is as follows:
# Route add-net destination subnet address netmask destination subnet mask GW next-level router address
Similarly
# Route del-net destination subnet address netmask destination subnet mask GW next-level router address
You can set static routes.
Use
# Route add default GW gateway address
Or
# Route add-net 0.0.0.0 netmask 0.0.0.0 GW gateway address
We add the route setting command to/etc/rc. d/rc. Local so that it can automatically run all route setting commands at the next startup.
The following is the static route setting command in the four network egress Linux routers mentioned in the preceding example. This is a piece in the/etc/rc. d/rc. Local file:
Route add-net 202.102.247.0 netmask quota limit 192 GW 172.16.80.82
Route add-net 10.56.0.0 netmask 255.255.0.0 GW 172.16.80.10
Route add-net 192.168.100.0 netmask 255.255.255.0 GW 172.16.80.86
Route add-net 192.168.101.0 netmask 255.255.255.0 GW 172.16.80.88
Route add-net 10.68.0.0 netmask 255.255.0.0 GW 10.3.2.129
Route add-net 172.28.0.0 netmask 255.255.0.0 GW 172.16.80.82
Route add default GW 10.3.2.5 (this route is added with the default route)
After the static route created by these commands is added with the fixed route originally calculated by the IP address, the route table becomes like this:
# Route-n
Kernel IP routing table
Destination gateway genmask flags metric ref use iface
10.3.2.4 0.0.0.0 255.255.255.252 u 0 0 0 eth0
202.102.247.0 172.16.80.82 255.255.255.192 ug 0 0 0 eth1
10.3.2.128 0.0.0.0 255.255.255.128 u 0 0 0 eth3
192.168.100.0 172.16.80.86 255.255.255.0 ug 0 0 0 eth1
192.168.101.0 172.16.80.88 255.255.255.0 ug 0 0 0 eth1
10.3.253.0 0.0.0.0 255.255.255.0 u 0 0 0 eth2
10.68.0.0 10.3.2.129 255.255.0.0 ug 0 0 0 eth3
172.28.0.0 172.16.80.82 255.255.0.0 ug 0 0 0 eth1
172.16.0.0 0.0.0.0 255.255.0.0 u 0 0 0 eth1
10.56.0.0 172.16.80.10 255.255.255.0.0 ug 0 0 0 eth1
0.0.0.0 10.3.2.5 0.0.0.0 ug 0 0 0 eth0
[Prepare the firewall system]
Compared with a router, the packet filtering Firewall adds a rule table for detection when forwarding data packets, and determines the fate of data packets according to the definition of the rule table. A vro is a "firewall" that allows all data packets to pass normally ".
Another important function of the firewall is to protect an internal subnet and convert internal private addresses into external IP addresses. This function not only protects internal networks, it can also save IP Address resources or enable access to an IP address segment that cannot be recognized by a device. Such a technology is called NAT (Network Address Translation). There are many ways to implement it. It is the most efficient to implement it directly at the routing layer. Cisco's pix is representative of commercial products with such technologies.
Linux IP-MASQ (IP disguise) is such a technology in Linux.
When a host initiates a TCP/IP access to another host, it must specify the IP address of the other host in the packet header and the TCP/UDP port that the other host provides for connection, at the same time, it will open a temporary port to accept the returned data, and then write its own IP address and the temporary port to the IP datagram header. When a packet is processed by Nat, its source address is replaced with the IP address on the outbound port of the firewall (some Firewall Products Use the address pool ), at the same time, the NAT firewall will also open a temporary port on the outbound port, replace this port number with the source port number in the data packet. When the response data arrives, because the external host can only see the IP address and port number of the NAT firewall, the destination address and port number of the data it sends will be on the firewall, after the data is returned to the firewall, the firewall replaces the address and port number of the original internal host and forwards the data packets to the internal network for transmission.
On the NAT firewall, a corresponding address translation table needs to be created. In order to know how the subsequent source and response data packets should be replaced.
Because all * operations of the packet filtering firewall are performed according to the rule table, the rule table is extremely important. We use a tool named ipchains to maintain the system rule table. ipchains calls the rule table a fireproof link. When a data packet enters the Linux machine, it must pass the input check. When a Linux machine is preparing to send a data packet, it must pass the output check, when used as a router, you also need to add a forward check for all the data packets in transit. Each chain can be configured with its own rule table. Therefore, a packet passing through the Linux firewall needs to be checked by the input, forward, and output rules. When Linux is used as a common router, the rules for the three links are accept (allowed ).
This is a process of transferring data packets through ipchains:
In the rule table, data packets always match the first rule. If the rule does not match, the next rule is compared. Once a rule is adapted, it is no longer compared and executed directly according to the rule, therefore, the rules listed above always give priority to the Rules listed below.
[Use ipchains to create a rule table]
Use commands
Ipchains-P chain name action
You can change the default rules of a chain. The chain names available include "input", "forward", and "output ". The available actions include "accept", "deny", and "reject ". In general, the default rule is the last action when a packet cannot match all rules. Of course, this is the rule with the lowest priority. By default, all three chain rules are allowed. That is, "accept ". In general, when we build a firewall, we mainly control data packets through the firewall. Therefore, we generally set rules on the transit chain and set the inbound and outbound links to "accept ". Generally, we need to disable all data packets that do not match the rules, so we can use this command to change the default rule of the transit chain to "discard ":
# Ipchains-P forward deny
Add a rule to use the following syntax:
Ipchains-A chain name-S source network/mask-D destination network/mask-P transport layer protocol port-J action
The source network address and destination network address are represented by the subnet network address. The mask can be in dotted decimal notation or replaced by a number that represents "1, for example, "255.255.255.0" can be expressed as "24", "0.0.0.0/0" can be used to represent all addresses, and "IP Address/32" can be used to represent a host. The actions in this region can be "accept", "deny", and "reject". If the IP address is disguised in the transit chain, the actions can be written as "masq ". If you do not check the transport layer protocol (TCP/UDP/ICMP), you cannot check the port number. In this case, you can write as follows:
Ipchains-A chain name-S source network/mask-D destination network/mask-J action
This setting takes effect for all data packets that match the Source and Destination addresses. For example, to allow mutual access between the subnet 10.3.2.0/255.255.255.255.128 and subnet 202.102.247.0/255.255.255.255.255.192, you can set it as follows:
# Ipchains-a forward-s 10.3.2.0/25-D 202.102.247.0/26-J accept
However, in actual use, this setting will not enable the two sub-networks, because the network transmission is bidirectional and only one direction is accessible, because the default forward rule is deny, the returned data packets will be discarded because they cannot match the rule. Therefore, we need to set another reverse licensing rule:
# Ipchains-a forward-s 202.102.247.0/26-D 10.3.2.0/25-J accept
In fact, we can use the-B option to set two-way rules at a time: this command is equivalent to the two commands just now:
# Ipchains-a forward-B-s 10.3.2.0/25-D 202.102.247.0/26-J accept
There is only one exception. Because the packets disguised by the IP address do not pass through the transit chain, you do not need to set a one-way rule for the IP address in the transit chain, for example, if we disguise all data packets accessing 172.16.0.0/16 from 10.3.2.0/25, we can set it as follows:
# Ipchains-a forward-s 10.3.2.0/25-D 172.16.0.0/16-J masq
This setting does not require reverse rules.
This is a configuration that disables a computer on the 10.3.2.0/25 network from accessing the telnet port 202.102.247.50 (tcp23:
# Ipchains-a forward-s 10.3.2.0/25-D 202.102.247.50/32-p tcp 23-J deny
Of course, rules made on the inbound or outbound links are equally effective for transit data. Such settings allow IP addresses on the 10.3.2.0/25 CIDR block to access OICQ (udp8000 port ):
# Ipchains-A input-s 10.3.2.0/25-D 0.0.0.0/0-p udp 8000-J deny
From the preceding figure, we can see that the Rules entering the chain should take precedence over those on the transit chain, and the Rule priority on the outbound chain is the lowest.
There are two ways to delete a rule: one is to first calculate the position of the rule in the table, and then use the command
# Ipchains-D chain name no.
For example, to delete the 5th rules of a transit chain, you can write the following:
# Ipchains-D forward 5
Another way is to change "-a" in the rule creation to "-d" to delete the rule created by the "-a" command.
# Ipchains-D input-s 10.3.2.0/25-D 0.0.0.0/0-p udp 8000-J deny
In this way, the computer in this subnet can access OICQ again. The command ipchains-F can be used to clear all the rules of the system, but does not change the default rules of the chain.
Run the command ipchains-l-N to view the current rule table of the system: this is the actual rule table of the four NICs firewall. Of course, it looks complicated:
D # ipchains-l-N
Chain input (Policy accept ):
Target prot opt source destination ports
Deny all ------ 202.102.247.0/25 10.3.2.4 N/
Deny all ------ 172.16.0.0/16 10.3.2.4 N/
Deny all ------ 172.16.0.0/16 10.3.253.3 N/
Deny all ------ 202.102.247.0/25 10.3.253.3 N/
Chain forward (Policy deny ):
Target prot opt source destination ports
Masq all ------ 202.102.247.0/25 10.3.253.1 N/
Accept all ------ 10.3.2.0/24 10.3.253.0/24 N/
Accept all ------ 10.3.253.0/24 10.3.2.0/24 N/
Accept all ------ 10.3.2.0/24 202.102.247.0/25 N/
Accept all ------ 202.102.247.0/25 10.3.2.0/24 N/
Accept all ------ 10.3.2.0/24 172.16.0.0/16 N/
Accept all ------ 172.16.0.0/16 10.3.2.0/24 N/
Accept all ------ 10.3.253.0/24 172.16.0.0/16 N/
Accept all ------ 172.16.0.0/16 10.3.253.0/24 N/
Accept all ------ 10.3.253.0/24 202.102.247.0/25 N/
Accept all ------ 202.102.247.0/25 10.3.253.0/24 N/
Accept all ------ 10.3.253.0/24 10.56.0.0/16 N/
Accept all ------ 10.56.0.0/16 10.3.253.0/24 N/
Accept all ------ 172.16.0.0/16 202.102.247.0/25 N/
Accept all ------ 202.102.247.0/25 172.16.0.0/16 N/
Accept all ------ 10.56.32.0/25 202.102.247.0/25 N/
Accept all ------ 202.102.247.0/25 10.56.32.0/25 N/
Accept all ------ 202.102.247.0/25 10.68.0.0/16 N/
Accept all ------ 10.68.0.0/16 202.102.247.0/25 N/
Accept all ------ 172.16.0.0/16 10.68.0.0/16 N/
Accept all ------ 10.68.0.0/16 172.16.0.0/16 N/
Accept all ------ 10.3.253.0/24 10.68.0.0/16 N/
Accept all ------ 10.68.0.0/16 10.3.253.0/24 N/
Masq all ------ 202.102.247.0/25 10.3.253.1 N/
Masq all ------ 172.16.0.0/16 10.3.253.1 N/
Masq all ------ 192.168.0.0/16 10.3.253.1 N/
Masq all ------ 10.56.32.0/24 10.3.253.1 N/
Masq all ------ 202.102.247.0/25 202.102.247.128/25 N/
Masq all ------ 172.16.0.0/16 202.102.247.128/25 N/
Masq all ------ 192.168.0.0/16 202.102.247.128/25 N/
Masq all ------ 10.56.32.0/24 202.102.247.128/25 N/
Masq all ------ 172.16.0.0/16 0.0.0.0/0 N/
Masq all ------ 10.56.32.0/25 0.0.0.0/0 N/
Masq all ------ 192.168.0.0/16 0.0.0.0/0 N/
Accept all ------ 10.3.253.0/24 0.0.0.0/0 N/
Accept all ------ 0.0.0.0/0 10.3.253.0/24 N/
Chain output (Policy accept ):
Among them, I set access restrictions on some hosts in the link, so the priority is higher.
Similarly, we can write the rule creation command to/etc/rc. d/RC. local, but once we debug a firewall system successfully, we need to write down the rules that have been created and re-write them to RC. in local, this * operation is very error-prone. In fact, we can use the command ipchains-Save to save the rule table to a file, like this:
# Ipchains-save>/root/ipchains
Save the currently running rule table to the/root/ipchains file, and run the following command to restore the rule table:
/Sbin/ipchains-Restore </root/ipchains
Write to/etc/rc. d/rc. Local.
The file saved with ipchains-save has the following format:
: Input accept
: Forward deny
Utput accept
-A forward-s 172.28.0.0/255.255.0.0-D 202.102.247.0/255.255.255.128-J accept
-A forward-s 172.28.0.0/255.255.0.0-D 0.0.0.0/0.0.0.0-J masq
When inserting a rule in the middle of the rule table, we can easily edit it, and then use "ipchains-F" to clear the running rule table, use "ipchains-Restore <file name" To restore the rule.
[Set information that should not be filtered out in the firewall]
When we set a firewall, we always need to find a way to filter what we cannot identify, but some information is required for network operation. Normally, it cannot be filtered, otherwise, the normal operation of the network will be affected, which is often ignored by system administrators of beginners.
ICMP, many system administrators filter the Ping, mainly because Ping can be used to block some areas with relatively narrow bandwidth of network lines. In order to save trouble, the whole ICMP is filtered out. But in fact, ICMP packets are also used to indicate Errors for other protocols (TCP, UDP. For example, "destination-Unreachable. If this information is filtered out, you will not receive "Host Unreachable" or "No route to host" errors. All connections will wait for a reply that will never come. It takes the client a long time to wait for the timeout of the TCP/IP protocol. Although this is not good, it is not fatal.
One worse problem is that ICMP packets are assumed a role in the MTU (maximum transmission unit) test. In order to complete the TCP connection well, the host will use the "MTU test" to calculate the maximum package that can reach the destination without being broken down into segments. The MTU test works like this: Send a packet with the "Don't fragment (unsplit into segments) bit, if you receive the "fragmentation needed but DF set (the package must be split into segments)" package, a smaller package will be sent. If ICMP information is disabled, the local host will not reduce MTU, testing will always be done or meaningless. If MTU is inconsistent on the network, the network performance will be greatly affected.
The correct Ping filtering method is to filter ICMP ports 0 and 8:
# Ipchains-A input-s 0.0.0.0/0-D 0.0.0.0/0-p icmp 0-J deny
# Ipchains-A input-s 0.0.0.0/0-D 0.0.0.0/0-p icmp 8-J deny
TCP port 53, we know, in general, the DNS system translation uses UDP port 53, but the DNS protocol will automatically use TCP for connection when UDP cannot respond normally, if you work on a network that filters all TCP Protocols, all UDP protocols cannot be correctly resolved.
In some cases, the FTP protocol uses ports other than port 21 to transmit some auxiliary information. Therefore, when dealing with the FTP protocol, we need to learn more about the FTP implementation mechanism.
[Application Instance]
Set an office subnet to access the information service subnet, but external access needs address translation:
Office subnet: 192.168.0.0 --> 192.168.0.255
Information subnet: 202.102.247.0 --> 202.102.247.63
The information subnet is interconnected with the Internet. The egress gateway address is 202.102.247.33.
First, you need to set the egress route on the firewall:
Route add default GW 202.102.247.33
The fire link settings are as follows:
Ipchains-P forwar deny
Ipchains-a forward-B-s 192.168.0.0/24-D 202.102.247.0/26-J accept
Ipchains-a forward-s 192.168.0.0/24-D 0.0.0.0/0-J masq
On the campus network of XXX College of Higher Education in Hunan province, we have a total of 9 subnets and 5 internet outlets. in the middle, we use the Linux + ipchians firewall for interconnection and access control, when four hosts are used, the route table and rule table on some machines have been configured more complex. However, the investment in the system is very small, and the actual use effect is also very good.
Source: Noah's Ark
Author: www0148_cn www0148_cn@21cn.com