Self-built Linux firewall for small and medium-sized enterprises

A firewall (Firewall) is a software or hardware product that establishes a security barrier between a trusted network and an untrusted network. The Linux operating system kernel has packet filtering ability, the system administrator sets up a set of rules by the management tool to establish a linux-based firewall, uses this set of rules to filter the packet which receives by the host, sends the packet or the host from one network card to the other network card, does not need to spend the extra funds to purchase Comparisons apply to some small or medium sized users.

Type of firewall and design strategy

In the construction of firewalls, often 2 ways, packet filtering and application agent services. Packet filtering is the establishment of packet filtering rules, according to these rules and IP header information, in the network layer to determine whether to allow or reject packets. If you allow or disallow FTP use, you cannot prohibit FTP-specific features such as get and put usage. The application Agent service is done by proxy server located between intranet and extranet, it works in application layer, Agent user's various service requests, such as FTP and Telenet, etc.

At present, the firewall generally uses dual host (dual-homed Firewall), shielding host (screened host Firewall) and screened subnet (screened Subnet) and other structures. A dual host structure is a computer that has at least 2 network interfaces between the internal and external networks that assume the Agent service task. The shielding host structure refers to the computer that assumes the Proxy service task and is connected only to the internal network host. Screened subnet structure is to add the additional security layer to the structure of the shielding host, that is, to add the surrounding network, further separating the intranet from the external network.

Firewall rules are used to define which packets or services allow/deny pass, there are 2 main policies. One is to allow any access first, and then indicate the rejected item; The other is to reject any access first, and then indicate the allowed items. In general, we will adopt the 2nd strategy. Because from a logical point of view, specifying a smaller list of rules in the firewall allows the firewall to be easier to implement than specifying a larger list that is not allowed through the firewall. From the development of the Internet, new protocols and services continue to appear, and there is time to review security vulnerabilities before allowing these protocols and services to pass through firewalls.

Implementation of firewall based on Linux operating system

The firewall based on Linux operating system is a compound firewall composed of packet filtering firewall and packet filtering and proxy service, which is built by the packet filtering ability of its kernel. Next, let's look at how to configure a two-host linux-based firewall.

Because the Linux kernel is different, the package filtering provided by the installation method is not the same. Ipfwadm is based on the IPFW in Unix, it only applies to Linux2.0.36 's previous kernel, and for later versions of Linux2.2, IPChains is used. Ipfwadm and ipchains work in very similar ways. Of the 4 chains they configure, 3 are defined when the Linux kernel is started: the entry chain (Input chains), the Out chain (Output chains), and the forwarding chain (Forward chains), and a user-defined chain. Defined chains). The entry chain defines the filtering rules of the inflow packet, the egress chain defines the filtering rules of the outflow packet, and the forwarding chain defines the filtering rules of the forwarding packet. These chains determine how to handle incoming and outgoing IP packets, i.e. when a packet comes in from the NIC, the kernel uses the rules of the entry chain to determine the direction of the packet; If allowed, the kernel determines where the packet is going next, and if it is destined for another machine, the kernel uses the forwarding chain rules to determine the direction of the packet; When a packet is sent out, the kernel uses the rules of the out chain to determine the flow of the package. Each rule in a particular chain is used to determine the IP packet. If the package does not match the first rule, then check the next rule, and when a matching rule is found, the rule specifies the target of the package, which may be a user-defined chain or accept, Deny, Reject, return, MASQ and redirect and so on.