Packet Filtering Firewall Based on Linux System (1)

Chapter 2 router-based packet filtering Firewall
The general concept of 1.1 packet filtering Firewall
1.1.1 what is a packet filtering firewall?
The packet filtering Firewall uses a software to view the packet header that flows through. This determines the fate of the entire package. It may decide to discard the DROP) package, and may ACCEPT the ACCEPT) this package will let the package pass), it may also execute other more complex actions.
In Linux, the package filtering function is built inside the core as a core module, or directly built in), and there are also some techniques that can be used on data packets, however, the most common practice is to check the Baotou to determine the fate of the packet.
1.1.2 package filtering Firewall Work Level
Packet filtering is a firewall type built on the Linux kernel routing function. Its firewall works at the network layer.
1.1.3 how WAF works
1) Use a filter. Data packet filtering is used between an internal host and an external host. The filtering system is a router or a host. The filtering system determines whether to allow data packets to pass according to the filtering rules. A router used to filter data packets is called a router filter.
Packet filtering is achieved by checking the IP address and TCP or UDP header of the data packet. The main information is as follows:
* IP Source Address
* IP Destination Address
* Protocol TCP packet, UDP packet, and ICMP packet)
* Source Port of a TCP or UDP Packet
* Destination port of the TCP or UDP Packet
* ICMP Message Type
* ACK bit in the TCP packet header
* Port on which data packets arrive
* Port for outgoing data packets
Some standard service port numbers exist in TCP/IP. For example, the HTTP port number is 80. You can disable specific services by blocking specific ports. The packet filtering system can block the connection between the internal host and the external host or another network, for example, it can block some hosts or networks that are considered hostile or untrusted to connect to the internal network.
2) Implement the filter. Packet filtering is generally implemented using a router filter, which is different from a common router.
A normal router only checks the destination address of the data packet and selects an optimal path to the destination address. It processes data packets based on the target address, and there are two possibilities: If the router can find a path to reach the target address, it will be sent out; if the router does not know how to send a data packet, the sender of the notification data packet "The data packet is not reachable ".
The filter router checks the data packets more carefully. In addition to determining whether there is a path to the target address, it also determines whether to send data packets. "Whether or not" is determined by the router's filtering policy and enforced.
Vro filtering policies mainly include:
* Deny all connections from a host or network segment.
* Allow all connections from a host or network segment.
* Reject a connection from a host or a specified port of a network segment.
* Allows connections from a host or a specified port of a network segment.
* Deny all connections between the local host or local network and other hosts or networks.
* Allow all connections between the local host or local network and other hosts or networks.
* Deny the connection between the local host or local network and the specified port of other hosts or other networks.
* Allows the connection between the local host or local network and the specified port of other hosts or other networks.
1.1.4 basic process of Packet Filter Operations
The following is a simple description:
1) The packet filtering rule must be stored by the device port of the packet filtering device.
2) When the packet arrives at the port, perform a syntax analysis on the packet header. Most packet filtering devices only check fields in the IP, TCP, or UDP header.
3) packet filtering rules are stored in special ways. The order of rules applied to the package must be the same as the storage order of the package filter rule.
4) if a rule prevents packets from being transmitted or received, this package is not allowed.
5) if a rule allows a packet to be transmitted or received, the packet can be processed.
6) if the package does not meet any rule, the package will be blocked.
1.1.5 Advantages and Disadvantages of packet filtering technology
1) Advantages:
→ Package filtering is easy to implement for a small and not complex site.
→Because the filter router works on the IP and TCP layers, the processing speed of packets is faster than that of the proxy server.
→ The filter router provides users with a transparent service. users do not need to change any client applications or learn anything new. Because the filter router works on the IP layer and the TCP layer, the IP layer and the TCP layer are irrelevant to the application layer. Therefore, a router filter is also called a "Packet Filter Gateway" or a "transparent gateway". It is called a gateway because the packet filter router is different from a traditional router and involves a transport layer.
→ Filter routers are generally cheaper than proxy servers.
2) Disadvantages:
→ Some packet filtering gateways do not support valid user authentication.
→ The rule table will soon become very large and complex, making it difficult to test the rules. As the table grows and the complexity increases, the possibility of a rule Structure Vulnerability also increases.
→The biggest drawback of this firewall is that it relies on a single component to protect the system. If a problem occurs in this Part, the network door will be opened, and the user may not know yet.
→ In general, if an external user is allowed to access an internal host, it can access any host on the Intranet.
→ The packet filtering firewall can only prevent one type of IP spoofing, that is, the external host disguise the IP address of the internal host, but cannot block the IP spoofing of the external host disguise the external host, it cannot prevent DNS spoofing.
Although the packet filtering firewall has the disadvantages described above, it can play its role normally in a well-managed small-scale network. Generally, packets are used together with other devices, such as bastion hosts, instead of using the packet filtering gateway.
1.2 Netfilter/iptables Architecture
1.2.1 package filtering firewall management tool in Linux
Since the 1.1 kernel, the Linux system has already had the package filtering function. As the Linux kernel version continues to upgrade, the package filtering system in Linux has gone through the following three phases:
→ Ipfwadm is used in the 2.0 kernel to operate kernel packet filtering rules.
→ Ipchains are used in the 2.2 kernel to control kernel packet filtering rules.
→ In the 2.4 kernel, a brand new kernel package filtering management tool-iptables.
Linux has become very popular in the IT field for its robustness, reliability, flexibility, and almost unlimited customization. Linux has many built-in capabilities that allow developers to customize their tools, behaviors, and appearances based on their own needs, without the need for expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or proxy server connected to the LAN and Internet, a built-in capability is to configure the firewall for the Linux system on the network. This capability can be used with the help of Netfilter/iptables IP information package filtering system which is integrated in Linux kernel 2.4.x. Netfilter/iptables is an IP information packet filtering system integrated with the latest Linux kernel version 2.4.x.
Compared with Linux information packet filtering solutions such as ipfwadm and ipchains, the Netfilter/iptables information packet filtering system is the latest solution, making it easier for users to understand how it works, it also has more powerful functions. For Linux system administrators, network administrators, and home users who want to configure the firewall based on their specific needs, save costs on the firewall solution, and have full control over IP information packet filtering, the Netfilter/iptables system is ideal and easy to use.
1.2.2 next-generation underlying Netfilter Network Architecture
Netfilter is a structured underlying architecture used in the kernel to expand various network services. Netfilter is designed to generate a module structure that can be easily expanded. Adding new features to the kernel does not require restarting the kernel. In this way, you can simply construct a kernel module to expand new network features. This greatly facilitates the expansion of underlying network features, enabling more people engaged in bottom-layer network R & D to concentrate on new network features.
In fact, we can regard Netfilter as a series of "hooks" in the network protocol stack that allow other modules to operate network data packets. on some specific points in the protocol stack, the Netfilter framework allows a module to forward or discard data packets, change data packets in some way, and non-kernel mode in the user space) to queue packets. Of course, it also does not interfere with packets.
1) Netfilter/iptables system description. In Linux 2.4 kernel, Netfilter is a new filter used to implement firewall. Iptables is a user tool used to specify Netfilter rules.
Iptables is just a tool for managing kernel packet filtering. It provides users with convenient configuration of firewall rules.
Iptables can be used to add, insert, or delete rules in the core package filtering table chain. In fact, netfilter and its related modules that actually execute these rules, such as the iptables module and nat module ).
Therefore, to use the Netfilter/iptables system, you must first have support for the 2.4 kernel and install the iptables software package. In Red Hat 9.0 release, this system is the default configuration.
2) use Netfilter/iptables to replace ipchains:
→ Connection Tracking
→ Automatic fragment reinstallation
→ Improved matching rules
→ Enhanced log Functions
→ Any information in the tear package is allowed
→ User queue allows user space to program packages
→ Support built-in packet forwarding without IPMASQANDM
3) Main Functions of the Netfilter/iptables System
→ Status package filtering Connection Tracking)
→ Translation of various network addresses
→ Flexible and scalable quick intelligence mechanism
→ A large number of enhanced patch packages
4) Use of Netfilter/iptables
→ Establish an Internet firewall and status-based packet filtering
→ Use NAT and masquerading in disguise to share the Internet
→ Implement transparent proxy using NAT
→ Use the ToS field of the IP address header to implement more complex functions
→ Use with tc + iprouter2 to implement QoS Routing
5) Advantages of the Netfilter/iptables system. The biggest advantage of Netfilter/iptables is that it can be configured with a stateful firewall, which is an important feature that previous tools such as ipfwadm and ipchains cannot provide. A stateful firewall can specify and remember the status of the Connection established for sending or receiving information packets. The firewall can obtain this information from the Connection Tracing status of the information package. When determining the filtering of new information packets, the status information used by the firewall can increase the efficiency and speed. There are four valid states: ESTABLISHED, INVALID, NEW, and RELATED. Where:
→ Status ESTABLISHED indicates that the information package is a ESTABLISHED connection, which is used to send and receive information packets and is fully valid.
→ INVALID indicates that the information package is not associated with any known stream or connection. It may contain incorrect data or headers.
→ Status NEW indicates that the information package has or will start a NEW connection, or it is associated with a connection that is used to send and receive information packets.
→ Status RELATED indicates that the information package is starting a new connection and is associated with the established connection.
Another important advantage of Netfilter/iptables is that it allows users to fully control firewall configurations and information packet filtering. You can customize your own rules to meet your specific needs, so that only the network traffic you want can enter the system.
In addition, Netfilter/iptables is free, which is ideal for those who want to save money. It can replace expensive firewall solutions.
In short, the latest Linux kernel 2.4.x has a built-in IP information package filtering tool, Netfilter/iptables, which makes configuration firewall and information package filtering cheap and convenient. The Netfilter/iptables system allows users to fully control firewall configurations and information packet filtering. It allows you to create customizable rules for the firewall to control information packet filtering. It also allows you to configure stateful firewalls.
1.2.3 kernel space and user space of Netfilter/iptables
Although the netfilter/iptables IP information packet filtering system is called a single entity, it actually consists of two components: netfilter and iptables.
1) kernel space. The Netfilter component is also called the kernel space KernelSpace). It is a part of the kernel and consists of some "tables". Each table is composed of several "chains, there can be one or several rules in each chain ).
2) user space. The Iptables component is a tool, also known as the user space userspace) that makes it easy to insert, modify, and remove rules from the information package filter table.
1.2.4 how the Netfilter/iptables filter system works
The Netfilter/iptables IP information package filtering system is a powerful tool that can be used to add, edit, and remove rules. These rules are the basis for determining how to filter packets. These rules are stored in a dedicated information packet filtering table, which is integrated into the Linux kernel. In the information packet filtering table, rules are grouped in chain.
1) You can use the iptables command to set filtering rules in the user space. You can use the user space to create custom filtering rules that are stored in the information packet filtering table of the kernel space. These rules have goals that tell the kernel what to do with information packages from certain sources, to certain destinations, or with certain protocol types. If an information package matches the rule, use the target ACCEPT to allow the information package to pass through. You can also use the target DROP or REJECT to block and kill information packets. There are many other targets for other operations that can be performed on the information package.
Based on the type of information package processed by the rule, you can group the rule in the chain.
→ Rules for processing the inbound information package are added to the INPUT chain.
→ Rules for processing outbound information packets are added to the OUTPUT chain.
→ Rules for processing information packets being forwarded are added to the FORWARD chain.
These three chains are the system's default table filters. Each chain has a policy that defines the default target, that is, the default operation to be performed. When the information package does not match any rule in the chain, this operation is performed.
2) kernel space takes over filtering. After the rule is created and the chain is placed in the filter table, you can start to perform real information packet filtering. At this time, the kernel space takes over the work from the user space.
To filter packets, follow these steps:
1) routing. When the information package arrives at the firewall, the kernel first checks the header information of the information package, especially the destination of the information package. We call this process a route.
2) send data packets to different chains of the packet filtering table filter according to the situation.
→ If the information packet comes from the outside world and the destination address of the packet is local and the firewall is on, the kernel will pass it to the INPUT chain of the kernel space information packet filtering table.
→ If the information package comes from the system's Local Machine and needs to go to another system, the information package is transmitted to the OUTPUT chain.
→ The information package is transmitted from the Wan to the LAN or from the opposite direction to the FORWARD chain.
3) Check the rules. Compare the header information of the information package with each rule passed to the chain to see if it matches a rule completely.
→ If the information package matches a rule, the kernel executes the operation specified by the target of the rule on the information package.
& If the target is ACCEPT, the information package is allowed to pass and the package is sent to the corresponding local process for processing.
& If the target is DROP or REJECT, the information packet is not allowed to pass through, and the packet is blocked and killed.
→ If the information package does not match this rule, it will be compared with the next rule in the chain.
→ Finally, if the information package does not match any rule in the chain, the kernel will refer to the chain policy to determine how to process the information package. The ideal policy should tell the kernel to DROP the information package.
1.2.5 Netfilter/iptables in Red Hat linux 9
Red Hat linux 9 uses the 2.4 kernel, and the kernel compilation options include support for Netfilter. At the same time, the iptables package is installed by default, so it can be used directly.
In addition, to complete the forwarding function, you must enable the IP forwarding function of the system kernel. Change Linux to a vro.
There are two methods in Red Hat:
1) modify the kernel variable ip_forward
# Echo "1">;/proc/sys/net/ipv4/ip_forward
2) modify the script/etc/sysconfig/network.
Set FORWARD_IPV4 = false
Changed to FORWARD_IPV4 = true.