Implementation of Linux Network firewall

As a mechanism of enforcing access control between network and system, firewall is an important means to ensure network security. Different firewall systems can be tailored to different requirements and application environments. Firewalls can be large to consist of several routers and bastion hosts, or small to just the packet filtering functionality provided by a firewall package on the network operating system.

In many network firewall products, the Linux operating system firewall software features significant. The first is the Linux operating system as a UNIX-like network operating system, the stability of the system, robustness and low price of the advantages of a unique advantage. More importantly, Linux is not only completely open source code, but also the system contains all the service packages needed to establish an Internet network environment, such as Apache Web server, DNS server, mail server, database server, and so on. In the same way, Linux based firewall software is not only powerful, but mostly open software.

With the rapid development of Internet, security issues are becoming more and more important. The use of Linux to build enterprise network is favored by small and medium-sized enterprises, and the use of Linux to build enterprise network Firewall system has become the ideal choice for many small and medium-sized enterprises.

The Linux kernel, starting with version 1.1, already has packet filtering capabilities. In the 2.0 kernel, IPFWADM is introduced to manipulate the kernel's packet filtering rules. By the 2.2 version, the Linux kernel used ipchains to control the kernel's packet filtering rules. When the 2.4.x was developed, IPChains was replaced by a new iptables of packet filtering management tools. The newly released version 2.6 kernel has also been improved in terms of security. Therefore, regardless of which version of the Linux kernel, regardless of which version of Linux to build your own enterprise network, you can use the existing system to build an ideal and practical firewall.

Firewall system can be divided into packet filter type, application level gateway (also known as proxy server-type firewall) and circuit-level gateway three kinds of basic types. The firewall package provided by Linux is built into the Linux kernel and is a kind of firewall implementation technology based on packet filtering. The main idea is to control the flow of packets according to the source address, destination address and package type in the IP header of the network layer. A more thorough filtering is to check the source port, destination port, and connection status in the package.

This article mainly introduces Linux IPFW, IPChains, iptables these three kinds of very practical firewalls and concrete implementation.

IPFW Firewall

IPFW is a firewall package provided by the older version of the Linux kernel. The full name of the software package is ipfwadm. The IPFWADM package provides the ability to establish rules based on which packages are allowed to enter and leave the network. In short, the firewall is a pair of switches, one switch allows the package to pass, and the other switch prevents the packet from passing. Modern firewall system will always attach audit tracking, encryption authentication, address camouflage and VPN and many other functions. As a security switch, firewalls can be defined with two security policies:

(1) All that are not permitted are prohibited;

(2) Everything that is not prohibited is permitted.

Obviously, the security of strategy 1 is significantly higher than strategy 2, but it is increased security at the expense of flexibility and accessible resources. The IPFWADM system also provides IP encapsulation, which allows users to use a common IP address space on the Internet.

The following is an example of Red Hat system, which illustrates the implementation of IPFW firewalls on Linux systems.

Installing the IPFWADM Firewall on the Red Hat System (as on other systems) requires logging in as root, and then executing the following command:

#rpm-ivh/mnt/cdrom/redhat/rpms/ipfwadm-2.3.0-5.i386.rpm

After the IPFWADM is installed, you can interactively specify IPFWADM packet filtering rules. The filtering rule checks each IP packet that enters the system to determine which packets are allowed through the firewall and which packets are not. The general format for the IPFWADM command is:

/sbin/ipfwadm category commands parameters [options]

IPChains (IP chain) and IP camouflage

In newer versions of the Linux kernel, IPChains replaces Ipfwadm, providing a more stringent packet filtering control mechanism. IPChains provides complete firewall functionality, including packet filtering, address camouflage, and transparent proxies.

The ipchains provided in the Linux 2.2 kernel provides firewall rule control through a list of four firewall rules, known as the firewall chain. They are the IP input chain (IP inputs chain), IP output chain (IP), IP forward chain (IP forwarding chain) and user defined chain (users-defined chain). A chain is actually a list of rules. The so-called rule, that is, when the detected header conforms to the definition of the rule, the package is processed in a predetermined setting. The input chain refers to the filtering rule of the internal connection request, the output chain is the filtering rule of the external connection request; The forwarding chain is the filtering rule for forwarding the internal and external communication packets; The user-defined chain is the user-defined rule.

When a packet enters the Linux firewall system, the Linux kernel uses the input chain to determine the operation of the package, and if the packet is not discarded, the kernel uses a forwarding chain to decide whether to forward the packet to an exit; Before the packet reaches an exit, The kernel uses the output chain to determine whether the package is discarded or forwarded. In the process above, if the input chain has decided to process the package, the core needs to decide where the next package should be sent, that is, to route. If the packet is sent to another host at this time, then the core uses the forwarding chain; If a matching setting is not found, the package needs to go to the next chain specified by the target value, where the target value may be a user-defined chain, or it may be a specific value. For example:

ACCEPT allowed to pass.

DENY is discarded directly.

REJECT discards and notifies the sender that the packet was discarded via ICMP reply.

The MASQ notification core disguises the package, which acts only on the forwarding chain and user-defined chains.

The REDIRECT notification core changes the package to a local port that only works on the input chain and user-defined chains, and only UDP and TCP protocols can use the value. Reture notifies the kernel that the packet skips all the rules and reaches the chain end of all chains directly.