Proxy Server and firewall 1. basic concepts application layer proxy (httpftp) function: enable LAN hosts to access the Internet to improve access efficiency. principle: work on the TCP/IP application layer firewall function: filters incoming and outgoing ip data packets to shield non-conforming data packets. ensures internal network security. provide data packets
Proxy Server and firewall
I. Basic concepts
Application layer proxy (http ftp)
Role: drive LAN hosts to access the Internet
Improve access efficiency
Access control is available.
Principle: work at the TCP/IP Application layer
Network Layer Firewall
Function: filters incoming and outgoing ip data packets to shield non-conforming data packets and ensure internal network security.
Provides packet route selection for network address translation
Type: Hardware: Foreign: cisco netScreen
China: Lenovo and Tian Rongxin
Software: mainly linuxIptables
Principle: The network firewall works at the TCP/IP network layer.
II. iptables
1. development:
2.0 kernel ipfwadm
2.2 kernel ipchains
Iptables after 2.4 kernel
2. implementation
Iptables is a tool for managing netfilter.
3. tables and links
Filter set package filter INPUT OUTPUT FORWORD
Nat address translation PREROUTING POSTROUTING OUTPUT
Mangle correction table INPUT OUTPUT FORWORD PREROUTING POSTROUTING
4. configure iptables
Rpm-qa | grep iptables
Configuration file/etc/sysconfig/iptables-config
Policy file/etc/sysconfig/iptables
# Echo "1">/proc/sys/net/ipv4/ip_forward enable linux routing
5. # iptables [-t table] [-Command] [chain name] [matching rule] [-j Action]
[-T table]
The table can be:
Filter
Nat
Mangle
If this parameter is omitted, the filter table is used by default.
[-Command chain]
The command can be:
-A: add A rule.
-D. delete a rule.
-R replacement rules
-I insert rules (positions can be specified)
-L display rules
-F: delete all rules.
-Z: Number of bytes on the rule chain to be cleared
-N: custom new chain
-X deletes a custom chain
-P: set the default rule
-E: rename a link
[Matching rules]
Basic rules
-P [!] Tcp udp icmpall
-S [!] Match source IP address
-D [!] Match destination IP address
-I [!] Match the name of the data inbound interface
-O [!] Match the data's outbound interface name
Extended rules
-- Sport matches the source port
-- Dport matches the target Port
-- Tcp-flags [!] The mask comp matches TCP flag bits. the flag bits include SYN, ACK, FIN, RST, URG, PSH,
-- Icmp-type [!] Match the ICMP protocol data type
-- Mac-source [!] Match source MAC address
[-J Action]
The action can be:
The ACCEPT allows packets to pass through
DROP dropped data packets
The REJECT discards the data packet and returns an error message.
SNAT conversion packet source IP address
Destination IP address of the DNAT conversion packet
Source IP address of the data packet converted by MASQUERADE)
The destination IP address of the REDIRECT conversion packet is its own IP address.
6. configure the Gateway
# Iptables-t nat-a postrouting-s 192.168.10.0/24-o pppo-jMASQUERADE
III. squid
1. Functions
Httpd ftp proxy
Cache proxy to speed up
Access control for client addresses
2. configuration
Rpm-qa | grep squid
/Etc/squid. conf
53,480,695,183 modify 7 rows
Squid-z
Service squid restart
3. Transparent Proxy
Modify the settings in the squid. conf configuration file
# Vi/etc/squid. conf
// Add the following configuration lines to the configuration file
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
Restart the squid server
# Service squid restart
Set firewall policies
# Iptables-t nat-a prerouting-s 192.168.10.0/24-p tcp -- dport 80-j REDIRECT -- to-ports 3128
# Echo "1">/proc/sys/net/ipv4/ip_forward
# Iptables-t nat-a postrouting-s 192.168.10.0/24-j SNAT -- to10.100.100.25
Case 1
Environment: rhel4 enables ftp, www, and telnet services, and uses iptables to build a firewall to control user access.
Xp ----------- rhel4 (WEB, FTP, TELNET)
#! /Bin/bash
# Ip. sh
############################ Clear firewallrule ######### ####################
Iptables-F
Iptables-X
Iptables-Z
Iptables-t nat-F
Iptables-t nat-X
Iptables-t nat-Z
################################ Defaultpolicy ####### #########################
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
############################### Iptables rule ###### #########################
Iptables-t filter-a input-I lo-j ACCEPT
Iptables-t filter-a input-p tcp-s 192.168.0.0/24-d192.168.0.200 -- dport 21-j ACCEPT
Iptables-t filter-a input-p tcp-s 192.168.0.0/24-d192.168.0.200 -- dport 20-j ACCEPT
Iptables-t filter-a input-p tcp-s 192.168.0.0/24-d192.168.0.200 -- dport 23-j DROP
Iptables-t filter-a input-p tcp-s 192.168.0.210-d192.168.0.200 -- dport www-j ACCEPT
Iptables-t filter-a output-p tcp-s 192.168.0.200 -- sport 21-d 192.168.0.0/24 -- dport 1024:-j ACCEPT // 1024: greater than 1024
Iptables-t filter-a output-p tcp-s 192.168.0.200 -- sport 20-d192.168.0.0/24 -- dport 1024:-j ACCEPT
Iptables-t filter-a output-p tcp-s 192.168.0.200 -- sport 80-d192.168.0.0/24 -- dport 1024:-j ACCEPT
Iptables-t filter-a output-p tcp-s 192.168.0.200 -- sport 23-d192.168.0.210 -- dport 1024:-j REJECT
# Iptables-t filter-a output-p tcp-j ACCEPT
Iptables-t filter-a input-p icmp -- icmp-type 0-j ACCEPT
Iptables-t filter-a input-p icmp -- icmp-type 3-j ACCEPT
Iptables-t filter-a input-p icmp -- icmp-type 8-j ACCEPT
Iptables-t filter-a input-p icmp -- icmp-type 11-j ACCEPT
Iptables-t filter-a output-p icmp -- icmp-type 0-j ACCEPT
Iptables-t filter-a output-p icmp -- icmp-type 3-j ACCEPT
Iptables-t filter-a output-p icmp -- icmp-type 8-j ACCEPT
Iptables-t filter-a output-p icmp -- icmp-type 11-j ACCEPT
Note:
Icmp type:
Echo-reply 0 // icmp response
Echo-request 8 // icmp request
Time-exceeded 11 // timeout
Destination-unreachable 3 // The address cannot be reached
Case 2:
Environment: linux 9 enables web services, linux el4 provides services as a professional firewall, and xp serves as a client for access.
Xp ------------------ (eth0) linux EL4 (eth1) --------------- linux 9 (enable web services)
192.168.1.0/24 10.10.10.0/24
Echo "1">/proc/sys/net/ipv4/ip_forward // enable linux route forwarding.
#! /Bin/bash
# Ip. sh
IPT =/sbin/iptables
####################### Clear rules ############### ####
$ Ipt-t filter-F
$ Ipt-t filter-X
$ Ipt-t filter-Z
$ Ipt-t nat-F
$ Ipt-t nat-X
$ Ipt-t nat-Z
####################### Default rules ############### ###
$ Ipp-input DROP
$ Ipp-output DROP
$ Ipt-p FORWARD DROP
####################### User rules ############### ######
$ Ipt-t filter-a input-I lo-jACCEPT // accept data of 127.0.0.1
$ Ipt-filter-a input-p icmp -- icmp-type 0-j ACCEPT
$ Ipt-filter-a input-p icmp -- icmp-type 3-j ACCEPT
$ Ipt-filter-a input-p icmp -- icmp-type 8-j ACCEPT
$ Ipt-t filter-a output-j ACCEPT
$ Ipt-t filter-a forward-p tcp-s 192.168.1.0/24-d10.10.10.248 -- dport 80-I eth0-o eth1-j ACCEPT
$ Ipt-t filter-a forward-I eth1-o eth0-j ACCEPT
$ EPT-t filter-a forward-p icmp -- icmp-type 0-j ACCEPT
$ EPT-t filter-a forward-p icmp -- icmp-type 3-j ACCEPT
$ Ipt-t filter-a forward-p icmp -- icmp-type 8-j ACCEPT
$ Ipt-t nat-a postrouting-s 192.168.1.0/24-o eth1-j SNAT -- to-source 10.10.10.100 // enable SNAT (source address conversion)