Linux network firewall

Article title: linux network firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Network Firewall security policy
The overall security policy of an organization must be determined based on security analysis and business needs analysis. Because firewalls are only related to network security, firewalls have a certain value only when a global security policy is correctly defined. Network Firewall security policies refer to network services that are permitted or prohibited, and some special circumstances in the usage regulations and regulations of these services. In addition, each rule in the network firewall security policy should be implemented in actual applications. In general, a firewall should use one of the following methods.
* All requests that are not explicitly permitted are rejected.
This method blocks all traffic between two networks, except those explicitly permitted services and applications ). Therefore, every service and application that you want to retain should be implemented one by one, and any service or application that may become a firewall vulnerability cannot be used. What I just mentioned is the most secure method, that is, it must be rejected unless the system administrator explicitly permits the services and applications to be used. On the other hand, from the user's point of view, this may limit more, not very convenient. In this book, we will use this method in firewall configuration.
* Each attempt without explicit rejection is allowed.
This method allows all traffic between two networks, unless those services and applications are explicitly prohibited. Therefore, every untrusted or potentially harmful service and application should reject them one by one. However, although this is a flexible and convenient method for users, it may cause some serious security problems.
　　
Package filtering
　　
Package filtering is a firewall type built into the Linux core. The Filter Firewall works at the network layer. Data can be sent only when permitted by the firewall. packages that arrive must be filtered based on their types, source addresses, destination addresses, and port information contained in each package.
In most of the time, packet filtering is performed by a router that can forward data packets according to the filtering rules. When a packet arrives at a router that can filter packets, the router interprets some information from the packet header, and then determines whether the packet passes or is discarded according to the filtering rules.
The following information can be interpreted from the header:
* Source IP address
* Destination IP address
* TCP/UDP source port
* TCP/UDP destination port
* ICMP message type
* Protocol information (TCP, UDP, ICMP or IP tunneling)
　　
Because you only need to analyze a small amount of data, and log on to the firewall takes only a small amount of CPU time, the network latency is also very small, so if you want to use the firewall to protect the network system, you can build a network in many ways.
　　
Topology
　　
In the network, all servers must at least close all unused ports, even if it is not a firewall server. This is done to make it safer. Imagine that someone has gained access to the firewall server. this is only because your neighboring server is not configured to close all ports. This is also true for local connections. employees without security authentication can gain access to another server from other internal servers.
In our configuration below, we will give three examples to help you determine firewall rules based on the type of servers to be protected and their position in the network structure. The first firewall applies to Web servers, the second is for mail servers, and the last is for gateway servers used as internal proxy servers. For details, see the figure.
　　
　　
　　
Www.openarch.com
Caching Only DNS
208.164.186.3
Deep.openarch.com
Master DNS Server
208.164.186.1
Mail.openarch.com
Slave DNS Server
208.164.186.2
1. Unlimited traffic on the loopback interface allowed
2. ICMP traffic allowed
3. DNS Caching and Client Server on port 53 allowed
4. SSH Server on port 22 allowed
5. HTTP Server on port 80 allowed
6. HTTPS Server on port 443 allowed
7. SMTP Client on port 25 allowed
8. FTP Server on ports 20, 21 allowed
9. Outgoing traceroute request allowed
1. Unlimited traffic on the loopback interface allowed
2. ICMP traffic allowed
3. DNS Server and Client on port 53 allowed
4. SSH Server and Client on port 22 allowed
5. HTTP Server and Client on port 80 allowed
6. HTTPS Server and Client on port 443 allowed
7. WWW-CACHE Client on port 8080 allowed
8. External POP Client on port 110 allowed
9. External nntp news Client on port 119 allowed
10. SMTP Server and Client on port 25 allowed
11. IMAP Server on port 143 allowed
12. IRC Client on port 6667 allowed
13. ICQ Client on port 4000 allowed
14. FTP Client on port 20, 21 allowed
15. RealAudio/QuickTime Client allowed
16. Outgoing traceroute request allowed
　　
1. Unlimited traffic on the loopback interface allowed
2. ICMP traffic allowed
3. DNS Server and Client on port 53 allowed
4. SSH Server on port 22 allowed
5. SMTP Server and Client on port 25 allowed
6. IMAP Server on port 143 allowed
7. Outgoing traceroute request allowed
　　
The above table shows the default ports opened on different servers based on the firewall script file. According to the services that the server must provide externally, you must configure the corresponding firewall script file to allow communication on the specified port. In the table, www.openarch.com is our Web server, mail.openarch.com is the only external email server, and deep.openarch.com is the gateway server. They are used in all examples in this chapter.
　　
　　
Compile a kernel that supports IPCHAINS firewall
　　
First, make sure that the Linux kernel has been compiled into "Network Firewall support" and "Firewalling ). Remember, all servers must close at least all unused ports, even if they are not Firewall servers. In kernel 2.2.14, you must answer "Y" to the following two questions ".
　　
Networking options:
Network firewils (CONFIG_FIREFALL) [N] Y
IP: Firewalling (CONFIG_FIREWALL) [N] Y
IP: TCP syncookie support (CONFIG_SYN_COOKIES) [N] Y
　　
Note: If you re-compile the kernel when reading the Linux kernel section, these options should have been set.
IP address Masquerading and IP address ICMP Masquerading used only for gateway servers:
IP: Masquerading (CONFIG_IP_MASQUERADE) [N] Y
IP: ICMP Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y
　　
Note: Only gateway servers need to support "IP: Masquerading" and "IP: ICMP Masquerading" kernel options, which need to disguise the intranet to the outside world.
　　
Here, disguise means that if a computer on the Internet wants to send something outside the network, and the local network is composed of a Linux box (Linux box: can be any simple Linux device-translator's note) acts as a network firewall, then this Linux box can be disguised as the computer to send content. For example, the Linux box forwards all traffic to the outside of the network, but for the outside, these are all from the firewall itself.
It can work in two ways: if the external host responds, the Linux firewall will forward the traffic to the corresponding local computer. in this case, computers in the local network are completely invisible to the outside, even if they can access the outside and receive a response. In this way, the computer in the local network can access the Internet even if it does not have a valid IP address.
The IP disguised code can only work under the following conditions: after the system starts and installs the/proc file system, IP forwarding can be executed using the following line of code:
Echo "1">/proc/sys/net/ipv4/ip_forward
　　
You can add this line in the "/etc/rc. d/rc. local" file so that IP forwarding is automatically supported when the computer restarts next time.
Edit the rc. local file (via vi/etc/rc. d/rc. local) and add the following line:
Echo "1">/proc/sys/net/ipv4/ip_forward
　　
Note: The preceding command line for IP forwarding only answers "Y" to the kernel option "IP: Masquerading (CONFIG_IP_MASQUERDE ", it is also necessary to configure a gateway server to disguise the internal network.
　　
If IP Masquerading is supported, ip_masq_ftp.o (for ftp file transfer), ip_masq_irc.o (for irc chats), ip_masq_quake.o (for usage you can guess ), ip_masq_vdolive.o (for VDOLive video connection), ip_masq_cuseeme.o (for CU-SeeMe broadcast) and merge (for RealAudio download) will be automatically compiled, which is required for the work of these protocols.
At the same time, you need to select "Y" when answering "Enable loadale module support (CONFIG_MODULES)" to compile a modular kernel instead of a monolithic kernel, in this way, you can use camouflage functions and modules such as ip_masq_ftp.o on the gateway server.
As mentioned above, the basic camouflage code for "IP: masquerading" can only process TCP or UDP packets (and ICMP errors of the current connection ). IP: ICMP Masquerading adds support for disguised ICMP packets, such as ping or probe used by the Windows 95 tracking program.
　　
Note: remember, other types of servers, such as Web servers and email servers, do not need to support these options because they do not have a real IP address, but do not have to act as a gateway for the internal network.
Notes
If your system is connected to the Internet, you can assume that you are at a potential risk. Because your gateway is exposed to the Internet, we recommend the following:
* Do not add any applications to the gateway server unless necessary.
* The type and quantity of protocols that can be passed on the gateway server should be strictly limited (many protocols are potential security vulnerabilities, such as FTP and telnet ).
* No system containing confidential or sensitive information should be accessible from the Internet.
　　
　　
Explain some of the firewall script files