Linux firewall basic knowledge and application; Set Snat policy, LAN sharing Internet; dnat policy, publishing internal server

a firewall, in layman's parlance, is equivalent to a moat around a fortress, opening and managing the provision of services

General computer system security mainly depends on:

1) Third party monitoring anti-virus software such as anti- virus software

2) System Policy firewall rule setting

3) permission settings for files

Linux Firewall system mainly work in the network layer, for TCP/IP packet filtering and restrictions, belong to a typical packet filter firewall (or network layer firewall),Linux The system's firewall system is based on kernel coding, which has very stable performance and high efficiency, so it has been widely used.

NetFilter: Refers to the internal structure of the Linux kernel implementing the packet filtering firewall, not in the form of programs or files.

Iptables: the command program used to manage the Linux Firewall

Iptables table, chain structure

Iptables 's role is to provide rules for the implementation of packet filtering mechanisms, through various rules that tell netfilter How to handle packets from certain sources that go to certain purposes or have certain protocol characteristics. To make it easier to organize and manage firewall rules,iptables uses a "table", "Chain" hierarchy

Divided into five chains based on the different timing of processing packets

According to the different functions of the rules are divided into the default four tables, the structure of the table and chain as shown,

Packet filtering of the matching process,

Iptables manages four default tables and five kinds of chains, and various firewall rules are stored in the chain in turn. When a packet arrives at the firewall and the packet is processed in and out of the firewall, the following matching processes are followed

Write firewall rules,

This paper mainly introduces the use of NetFilter Firewall management tool iptables command, including basic syntax format, packet control type, and how to manage and write firewall rules.

Basic operations such as adding, viewing, deleting rules, etc.

Before you can write a variety of firewall rules, you need to master the rules of viewing, adding rules, deleting rules, and emptying rules in the chain.

Match criteria for a rule

combined with the experiment, verify the application of firewall iptables

Experimental environment;

1) VMware Workstation virtual machine environment, three virtual machines. Host-only mode is used.

2) a redhat6.5 system pc act as a gateway firewall, set up two network adapters eth0 : ip 192.168.30.1   eth1   ip 12.0.0.1

3) a Windows7 system PC acts as a client withIP 192.168.30.66

4) a redhat6.5 system PC provides web Services,IP to be 12.0.0.12

5) in Gateway firewall settings iptables rules, controlling client access web services.

First prepare the experimental environment, on the gateway Firewall PC add a network card, modify the network card configuration file contents, set up two network card eth0:IP for 192.168.30.1 eth1: IP is 12.0.0.1

Then give the other two also set the IP address separately, and the default gateway.

Intranet Windows7 Host set IP is 192.168.30.66

The extranet host IP is 12.0.0.12, and the httpd service is turned on to provide Web services (redhat6.5 system default installation httpd, just turn on the service), and clear its own firewall rules iptables-f.

See if you can see the Apache Welcome Home page Under native Open browser test

Ping the other two hosts on the Gateway Firewall test network connectivity

Open the/etc/sysctl.conf file, turn on the gateway Firewall host's Routing and forwarding function, first empty the iptables rule

Open Intranet Client Host Enter the extranet IP address to access the extranet Web page, without setting any firewall rules, you can see the Apache Welcome homepage

Then we set up a iptables rule on the Gateway Firewall host: Iptables-i forward-s 192.168.30.66-j DROP (disable forwarding of packets for intranet clients)

The extranet Web service is again accessed on the client, and the result is not accessible

Snat Strategy and application

With the popularization of the Internet in the world, the available IP address resources supported by the IPV4 protocol are getting less and the resource scarcity makes it difficult for many enterprises to apply for more public IP addresses or to withstand the cost of one or a few public IP addresses, while at the same time, Most enterprises are faced with the need to access public network hosts in the LAN. Therefore, by applying the Snat policy in the gateway, we can solve the problem of LAN sharing Internet.

Analysis of the principle of snat conversion

Snat the application of the strategy, or based on the experimental environment, set up the Snat firewall rules, before setting up Snat other iptables rules to avoid interfering with the experimental results

Web services for client access to extranet hosts

Viewing the Apache Web Services access log file at the end of a few lines on the external host,/etc/httpd/logs/access_log, you can see the host IP that just visited the webpage is 192.168.30.66 (intranet client We set)

Set the Snat policy on the gateway Firewall host to convert the address 192.168.30.66 to an extranet interface Gateway 12.0.0.1

Iptables-t nat-i postrouting-s 192.168.30.66-o eth1-j SNAT--to-source 12.0.0.1

Re-access the Web service of the extranet host on the client again

View Apache website Service Access log file at the end of a few lines on an external network host,/etc/httpd/logs/access_log, You can see the host IP that just visited the webpage is 12.0.0.1 (indicating that the intranet client we set has translated the address into the gateway address 12.0.0.1)

Dnat Strategy and application

The Dnat policy is very similar to the SNAT strategy, except that it is applied in the opposite direction. Dnat is used to modify the destination address IP and destination port, and Sant can only be used in the postrouting chain of the NAT table, and Dnat can only be used in the prerouting chain and the output chain in the NAT table

Still based on the above experimental environment, the actual work to consider the security and stability of the application, the company will be external Web server installed in an internal network, unless the Dnat policy is set correctly in the gateway server, the client in the Internet will not be able to access the company intranet server.

Based on the experimental environment just now, let intranet client provide Web service, let extranet pc to access intranet Web service

First open the IIS function on the intranet PC, build the website to provide the Web service, as shown in the operation;

Set the Dnat policy on the Gateway Firewall host to publish the Intranet Web service

Iptables-t nat-i prerouting-d 12.0.0.1-i eth1-p tcp--dport 80-j DNAT--to-destination 192.168.30.66

Enter the IP address of the gateway on the external PC browser 12.0.0.1 to access the Web services provided by the intranet.

The effect of using the Dnat policy is as shown in the experiment, when a PC in the extranet submits an HTTP request to the enterprise's gateway firewall, the gateway first determines the destination address and destination port of the packet, and if it finds that the packet needs to access port 80 of the machine, The destination address (12.0.0.1) is modified to the IP address (192.168.30.66) of the true Web server in the intranet before it is sent to the internal Web server.

In the process of converting the address above, the gateway server modifies the source IP address of the returned HTTP reply packet based on the previously established Dnat mapping, and then returns the Dnat to the client in Pc,internet in the Internet without knowing the real LAN address of the corporate Web server. The intermediate conversion is done entirely by the Gateway host.

By setting the appropriate Dnat policy, services within the enterprise can be serviced on the Internet.

Linux firewall basic knowledge and application; Set Snat policy, LAN sharing Internet; dnat policy, publishing internal server