Linux networking: how to build a firewall with old-fashioned Pentium and Linux

Source: Internet
Author: User
Tags ssh secure shell
Article title: Linux networking: how to build a firewall with an old-fashioned Pentium host and Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Rawn Shah
  
I'm talking about your old Pentium computer! Don't discard the old Pentium machine because it is not as powerful as today's fancy new hardware. It is fully competent for the network firewall of small business or home offices. Ipchains is the firewall software under Linux, its source code can be obtained for free, and can work in the old Pentium T-1 network environment. Instead of spending thousands of dollars buying customized firewall software from a software provider, it is better to try this most affordable solution. Next, I will teach you how to install and configure the ipchains software step by step.
Old-fashioned Pentium machines are not just spam, they can still be used for computing! In fact, a small machine with 32 MB memory and 200-400 MB hard drive can be competent for the task of small office network firewall. Linux's compact version only contains important system applications without graphical user interfaces and user applications. After the compact version of Linux is installed, you can easily turn the old machine into a firewall.
  
To do this, you only need a software package named ipchains public source code, which is provided by Paul "Rusty" Russell. The software features many commercial firewall products: Allow custom flow of network traffic and access to visitors.
  
Early ipfwadm (IP Firewall Administration) can run on 2.0.X and earlier Linux versions. Later, ipchains replaced ipfwadm and can work in all Linux versions 2.1.x and 2.2.x. As the kernel is upgraded, it will also be upgraded to netfilter or another later version under 2.3.x. The reason for such frequent updates is that the firewall's data packet filtering is based on the kernel itself, so firewall software must also follow the kernel changes. This article discusses what ipchains are, what they can do, and how they can be used in different scenarios.
  
Ipchains and firewall
Ipchains are essentially package filters. It checks the IP packets that arrive at the network interface, modifies the packets according to the predefined rules, and forwards the packets to other interfaces.
  
Each IP packet contains a header containing the packet's destination, and how to handle the control information (see ). The data to be transferred is placed in the valid segment (or package body. Generally, a valid segment can contain a higher package. For example, a TCP packet is always included in the valid segment of the IP packet, and the TCP packet has its own header and valid segment. We will see that the ipchains software can change some domain values in the IP header, TCP header, UDP header (not displayed), and ICMP header.
  
   
The name of ipchains comes from its features. It can create reasonable filtering steps and process packages according to user-defined rules. These steps are linked together to create a complete rule system for packet processing. This processing "chain" can be combined with a specific IP address or network address. As shown in the following figure, there are many such "chains" in the system to process each incoming IP package:
  
   
Machines running ipchains can have many network interfaces, each of which is connected to different networks. Any available firewall should have at least two independent interfaces, one connected to the internal network and the other connected to the external network. Data packets enter from one interface and are transmitted to another interface through the filter chain.
  
In the simplest case, ipchains only executes three policies: accept, and reject. It can accept all packets from the specified IP address or network, and the rejection policy discards all packets from a specific place. The deny policy discards the packet from the specified source and notifies the source that the requested connection is rejected.
  
There are three basic links: input chain, forward chain, and output chain. The input and output chains process the execution policies of packages corresponding to the inbound and outbound interfaces respectively. The forward chain directly transmits the traffic to another machine (after it executes the input chain ). The "other" machine here is a router in most cases. Ipchains itself does not want to become a complete routing engine, so it transfers the packet to the real software router on the local machine or the hardware router on another node. The complete ipchains engine processing flowchart is as follows:
  
   
  
Firewall is the generic name for devices that can manipulate input data streams and select outgoing data streams. During execution, it may change the status of the input or input data stream to hide the specific information of the machine or prevent illegal intrusion.
  
Ipchains can run in two ways: proxy server and network address converter. The former receives data streams from machines in the firewall-protected network, filters data streams using user-defined rules, and sends them to the external network. In short, the proxy server controls which machines can access the external network, and vice versa.
  
If you do not have enough network addresses or do not want to use public IP addresses for your internal network, you can use the network address converter (NAT) or IP address shielding (Masqing) method. It can convert an internal private address to a valid public address, which maps multiple internal addresses to a unique external address. In this way, you cannot directly access a machine in the internal network from the external network, so as to protect the internal machine.
  
Install firewall
It is not that easy to configure a linux machine as a firewall. You should reinstall the stable Linux version (that is, you can try 2.2.12 if it is not the latest and most powerful version) instead of changing the existing Linux machine. During installation, it is best to install only the most basic system components. Generally, do not install network servers, NFS servers, compile programs, and other components, or even run Telnet servers. If you must log on to the local machine through the network, install "SSH Secure Shell" (ssh) to remotely log on to the system. In short, remember that the firewall should never execute tasks other than processing packets and network security.
  
The ipchains software may be included in your Linux system. If you are paranoid, you can use this version only after confirming that the main Linux provider has certified it.
  
The first thing to do is to check whether the firewall has been installed on your machine. Check whether there is a "start/close" script similar to packetfilter, ipchains, pifwadm, firewall, or proxy in the/etc/rc. d/init. d Directory. If such a file exists, and there is a file from/etc/rc. d/rc2.d or/etc/rc. d/rc3.d symbol connection, so the machine may have installed a firewall, maybe it is still running in the environment without any specific firewall policy. To verify this, run the following command:
  
# Cat/proc/sys/net/ipv4/ip_forward
If the file cannot be found, the firewall has not been installed. If the returned value is 0, the firewall is installed but not running. if the returned value is 1, the firewall is running.
  
You can also download the source code of ipchains to compile it yourself. In this case, run the checksum program to confirm that the source code is reliable. (Md5sum is usually used. Command ). The valid values of the checksum are listed on the ipchains website. The verification results should match exactly with them. The current ipchains version is 1.3.9.
  
If all these values do not match, check whether the Masquerading is enabled during kernel compilation. By default, these options are enabled during kernel compilation. However, if you decide to compile the Linux 2.2.x kernel, you must say YES to the following options:
  
CONFIG_EXPERIMENTAL
CONFIG_MODULES
CONFIG_NET
CONFIG_FIREWALL
CONFIG_INET
CONFIG_IP_FORWARD
CONFIG_IP_MASQUERADE
CONFIG_IP_MASQUERADE_IPPORTFW
CONFIG_IP_MASQUERADE_IPAUTOFW
CONFIG_IP_MASQUERADE_ICMP
CONFIG_IP_ALWAYS_DEFRAG
CONFIG_DUMMY
CONFIG_IP_MASQUERADE_MFW
  
After the kernel is compiled, you need to install the firewall as a system service. In this way, the system will start it during initialization. System Services are executed by the system initial process during system startup. different system services have different initialization priorities. Level 0 indicates that the system can be fully uninstalled and power off. Level 1 indicates that the single user mode is not supported by the network. Level 2 and Level 3 are generally used in multi-user mode supported by the network, that is, the running mode of most machines. There are some other levels, but they are not commonly used.
  
To create the firewall service start script and install it under levels 2 and 3, you must first create the ipchains system "start/close" script file as shown below, and save it in/etc/rc. d/init. d or/etc/init. d/Directory (which Directory is stored depends on the Linux version used ).
  
#! /Bin/sh
# Firewalling with ipchains, startup/shutdown script
  
PATH =/sbin:/bin:/usr/sbin:/usr/bin
  
[-F/etc/packetfiler. rules] | exit 0
  
Case "$1" in
Start)
Echo-n "Starting ipchains firewall :"
/Sbin/depmod-
# Comment the following line if you do not intend to support
# Using FTP through the firewall
/Sbin/modprobe ip_masq_ftp
# Insert lines to support other application protocols here
  
/Sbin/ipchains-restore </etc/firewall. rules | exit 1
  
Echo "1">/proc/sys/net/ipv4/ip_forward
  
# If you do NOT use PPP, SLIP or DHCP for any of your network
# Interfaces on this machine, comment the following line
Echo "1">/proc/sys/net/ipv4/ip_dynaddr
  
Echo "."
;;
Stop)
Echo-n "Shutting down ipchains firewall :"
  
Echo "0">/proc/sys/net/ipv4/ip_forward
  
# Comment the following line if you do NOT use PPP, SLIP or DHCP
Echo "0">/proc/sys/net/ipv4/ip_dynaddr
  
/Sbin/ipchains-X
/Sbin/ipchains-F
/Sbin/ipchains-P input ACCEPT
/Sbin/ipchains-P output ACCEPT
/Sbin/ipchains-P forward ACCEPT
Echo "."
;;
*)
Echo "Usage:/etc/rc. d/init. d/packetfilter {start | stop }"
Exit 1
;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.