Linux Firewall uses a simple rule set to protect the network

Source: Internet
Author: User
Tags domain name server ssh access
Article Title: Linux Firewall uses a simple rule set to protect the network. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

The firewall configuration requirements are as follows:

1. Reject all packets that are passed in, forwarded, and forwarded.

2. Allow all outgoing TCP connections: We allow outgoing connections such as web, telnet, ssh, and ftp.

3. To allow outgoing TCP connections to return packets to the firewall, check the packet status.

4. Allow outbound UDP connections to specify the domain name server on port 53, but only allow Wei-in DNS packets to enter the internal Domain Name Server chivas.

5. Create a rule that allows the kernel to forward packets from one network interface to another: Packets transmitted from the private network to the Internet must be forwarded from the internal interface eth0 to the external interface eth1. The returned packets are sent in the opposite direction.

6. Enable IP Forwarding in the kernel.


Build a basic firewall

[Root @ linux-tys root] # sysctl? P ----- set IP Forwarding

[Root @ linux-tys root] # cat/proc/sys/net/ipv4/ip_forward ----- confirm IP Forwarding. The result is 1.


[Root @ lg root] # iptables? F ----- clear the rules of all rule chains in the filter of the preset table

[Root @ lg root] # iptables? X ----- clear the rules for customizing the rule chain in the filter of the preset table

[Root @ lg root] # iptables? F? T mangle ----- clear rules of all rule chains in the mangle table

[Root @ lg root] # iptables? T mangle-X ----- clear all rules of the custom rule chain in the mangle table

[Root @ lg root] # iptables? F? T nat ----- clear all rules of the Rule chain in the nat table

[Root @ lg root] # iptables? T nat-X ----- clear all rules of the custom rule chain in the nat table


[Root @ linux-tys root] # iptables-a input-p tcp--dport 22-j ACCEPT

[Root @ lg root] # iptables-a output-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT

[Root @ linux-tys root] # iptables-P INPUT DROP

[Root @ linux-tys root] # iptables-P OUTPUT DROP

[Root @ linux-tys root] # iptables-P FORWARD DROP


[Root @ linux-tys root] # iptables-a output-j ACCEPT-o lo-these two actions allow internal network traffic on the send-back Interface

[Root @ linux-tys root] # iptables-a input-j ACCEPT-I lo


[Root @ linux-tys root] # iptables-a output-j ACCEPT-o eth1-p tcp-m state -- state ESTABLISHED, NEW

----- This rule sets that the newly created and established TCP connection packets will be forwarded through eth1, and the source and target addresses are not specified to represent any addresses.


[Root @ linux-tys root] # iptables-a input-I eth0-s 192.168.1.0/24-j ACCEPT -- all traffic from the private network to the private network interface is allowed, the following rule checks each packet that arrives at the external network interface, which belongs to an existing connection

[Root @ linux-tys root] # iptables-a input-I eth1-m state -- state ESTABLISHED, RELATED-j ACCEPT


The following configuration rules forward packets from one network interface to another: the first rule receives all packets from the private network and is forwarded to the eth1 of the external network adapter; the second rule arrives at the packet on the external network interface eth1. If it belongs to an existing connection, it is forwarded to the Intranet.

[Root @ linux-tys root] # iptables-a forward-I eth0-j ACCEPT-

[Root @ linux-tys root] # iptables-a forward-I eth1-m state -- state ESTABLISHED, RELATED-j ACCEPT


Finally, a NAT rule is created, which must be translated when the POSTROUTING table packets are sent out. This rule is set to act on the packets of the outbound external network interface eth1 and change the source address to the eth1 address.

[Root @ linux-tys root] # modprobe iptable_nat ---- load the NAT Module

[Root @ linux-tys root] # iptables-a postrouting-t nat-o eth1-j SNAT -- to 192.168.32.254


Backup and recovery

1. Backup firewall settings: [root @ lg root] # iptables-save> iptablesrules.txt this time is set to iptablesdefault.txt

2. delete firewall settings: [root @ lg root] # iptables? F. Delete all links.

3. restore firewall settings: [root @ lg root] # iptables-restore iptablesrules.txt


Automate the Firewall

[Root @ linux-tys root] # iptables-save>/etc/sysconfig/iptables --- save the rule to/etc/syscofig/iptables and start it on your own

[Root @ linux-tys root] #/etc/init. d/iptables start/stop/restart ---- You can use this command to control the status after saving it.


Use custom link to consolidate the Firewall

The basic rules do not check matters other than the TCP connection status. You can use custom links to expand the basic firewall to help deal with the increased complexity, A more complex rule set can specify which TCP port can be used and the source address of the connection. At the same time, creating specific rules to process a single connection can reduce the chances of hackers using ports.


The modified firewall configuration is as follows:

1. First, enable forwarding and clear all rules. The default value is DROP. All internal network traffic is allowed on the send-back interface. Then we will create two custom chains to process packets arriving from the private network and Internet interfaces. The following figure shows how to retain SSH access.


2. Create a PRIV chain to process traffic from the private network. This Chain transmits the existing returned packets, enters the SSH packets of the firewall, and the FTP, SSH, and HTTP packets destined for the Internet, and then directs the INPUT chain rules to this chain.

[Root @ linux-tys root] # iptables-N PRIV

[Root @ linux-tys root] # iptables-a priv-m state -- state ESTABLISHED, RELATED-j ACCEPT

[Root @ linux-tys root] # iptables-a priv-p tcp? S 192.168.1.0/24? D 192.168.1.254 -- dport 22-j ACCEPT

[Root @ linux-tys root] # iptables-a priv-p udp? D 0/0 -- dport 53-j ACCEPT

[Root @ linux-tys root] # iptables-a priv-p tcp-d 0/0 -- dport 21-j ACCEPT

[Root @ linux-tys root] # iptables-a priv-p tcp-d 0/0 -- dport 80-j ACCEPT

[Root @ linux-tys root] # iptables-a input-I eth0-j PRIV

[Root @ linux-tys root] # iptables-a output? O eth0-j PRIV


3. Create a chain to process the traffic from DMZ (if used) and the external network. This chain discards all packets from the VPC and DMZ source addresses. This is because, first, the former is a spoofing address, and second, traffic from DMZ is not allowed to enter the network according to the policy. This link is a package from an existing connection and address to the Internet.

[Root @ linux-tys root] # iptables-N EXT

[Root @ linux-tys root] # iptables-a ext-s 192.168.32.0/24-j DROP

[Root @ linux-tys root] # iptables-a ext-s 192.168.1.0/24-j DROP

[Root @ linux-tys root] # iptables-a ext-s 0/0-p tcp -- dport 1024: 65535-j ACCEPT

[Root @ linux-tys root] # iptables-a ext-s any/0-d 192.168.32.254-j ACCEPT

[Root @ linux-tys root] # iptables-a input-I eth1-j EXT -- configure the INPUT chain to direct traffic to EXT

[Root @ linux-tys root] # iptables-a output? O eth1-j EXT


4. Modify the FORWARD chain to create the gateway function. New or existing connections from Intranet interfaces are forwarded to external interfaces.

[Root @ linux-tys root] # iptables-a forward-I eth0-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT

[Root @ linux-tys root] # iptables-a forward-I eth1-m state -- state ESTABLISHED, RELATED-j ACCEPT


5. Create an SNAT rule. Converts the source address to 192.168.32.254. After this step, you can implement the gateway firewall function.

[Root @ linux-tys root] # modprobe iptable_nat

[Root @ linux-tys root] # iptables-a postrouting-t nat-o eth1-j SNAT -- to 192.168.32.254


6. Configure the OUTPUT chain. Allow packets from the Firewall Service to be transmitted to the private network and the Internet.

[Root @ linux-tys root] # iptables-a output-o eth0-d 192.168.1.0/24-j ACCEPT

[Root @ linux-tys root] # iptables-a output-o eth1-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT


7. Check the firewall rules, add a rule, and save the rule.

[Root @ linux-tys root] # iptables-L? V -----v displays additional information about the network interface.

[Root @ linux-tys root] # iptables-a priv-p tcp-d any/0 -- dport 23-j ACCEPT

[Root @ linux-tys root] # iptables-save> m.txt or save as follows

[Root @ linux-tys root] # iptables-save>/etc/sysconfig/iptables --- save the rule to/etc/syscofig/iptables and start it on your own.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.