Implementing Linux Network Firewalls

As a mechanism of enforcing access control between network and system, firewall is an important means to ensure network security. Different firewall systems can be tailored to different requirements and application environments. Firewalls can be large to consist of several routers and bastion hosts, or small to just the packet filtering functionality provided by a firewall package on the network operating system.

In many network firewall products, the Linux operating system firewall software features significant. The first is the Linux operating system as a UNIX-like network operating system, the stability of the system, robustness and low price of the advantages of a unique advantage. More importantly, Linux is not only completely open source code, but also the system contains all the service packages needed to establish an Internet network environment, such as Apache Web server, DNS server, mail server, database server, and so on. In the same way, Linux based firewall software is not only powerful, but mostly open software.

With the rapid development of Internet, security issues are becoming more and more important. The use of Linux to build enterprise network is favored by small and medium-sized enterprises, and the use of Linux to build enterprise network Firewall system has become the ideal choice for many small and medium-sized enterprises.

The Linux kernel, starting with version 1.1, already has packet filtering capabilities. In the 2.0 kernel, IPFWADM is introduced to manipulate the kernel's packet filtering rules. By the 2.2 version, the Linux kernel used ipchains to control the kernel's packet filtering rules. When the 2.4.x was developed, IPChains was replaced by a new iptables of packet filtering management tools. The newly released version 2.6 kernel has also been improved in terms of security. Therefore, regardless of which version of the Linux kernel, regardless of which version of Linux to build your own enterprise network, you can use the existing system to build an ideal and practical firewall.

Firewall system can be divided into packet filter type, application level gateway (also known as proxy server-type firewall) and circuit-level gateway three kinds of basic types. The firewall package provided by Linux is built into the Linux kernel and is a kind of firewall implementation technology based on packet filtering. The main idea is to control the flow of packets according to the source address, destination address and package type in the IP header of the network layer. A more thorough filtering is to check the source port, destination port, and connection status in the package.

This article mainly introduces Linux IPFW, IPChains, iptables these three kinds of very practical firewalls and concrete implementation.

IPFW Firewall

IPFW is a firewall package provided by the older version of the Linux kernel. The full name of the software package is ipfwadm. The IPFWADM package provides the ability to establish rules based on which packages are allowed to enter and leave the network. In short, the firewall is a pair of switches, one switch allows the package to pass, and the other switch prevents the packet from passing. Modern firewall system will always attach audit tracking, encryption authentication, address camouflage and VPN and many other functions. As a security switch, firewalls can be defined with two security policies:

(1) All that are not permitted are prohibited;