Simple Firewall construction and traffic statistics

Simple Firewall construction and traffic statistics

Author: Nealy

1. Preface

The firewall is basically designed to prevent others from accessing your network and control the inbound and outbound information on the network. one end of the firewall is connected to an external network (through a real IP address ), the other end is connected to the internal network (virtual IP address), which isolates your internal network from the external network. The firewall becomes the only channel to enter your internal network, therefore, any incoming and outgoing information must go through the firewall and then determine whether it can pass through the firewall. Therefore, the security is further guaranteed.

In addition, this article also introduces two heavyweight software to facilitate monitoring of network traffic and past network packets, which should also be one of the functions of the firewall.

2. Types of firewalls

2.1 Packet Filter

The packet filter function filters each packet based on the set rules to check whether the packet is allowed to be transmitted or rejected. The packet filter exists at the network layer and does not affect the data in the packet. In RedHat Linux, there is an ipchains Suite (included in more than 6.0), which can be used as a data packet filter.

2.2 proxy firewils)

A proxy server is also called an application.ProgramGateway, which allows indirect access to the Internet through the firewall.

3. Start building a firewall

Network Address Translation (NAT)

As the development of Internet connection is booming, the number of computers is also increasing rapidly, leading to the current shortage of IP addresses, which is hard to find. Therefore, we need to use virtual IP addresses to solve this problem, we believe that virtual IP addresses will become a trend in the future. A specific IP address is retained on the network for use by a private virtual network. These three IP addresses are not found on the real network. These virtual IP addresses are:

Class A 10.0.0.0 ~ 10.20.255.255

Class B 172.16.0.0 ~ 172.31.255.255

Class C 192.168.0.0 ~ 192.168.255.255

3.1 view the network card status

First, you must have two network card interfaces, one external (using real IP) eth1, and one internal (using virtual IP) eth0.

Ifconfig-

The network card setting value appears to check whether two network cards are captured.

Note that the setting values of eth0 and eth1 are the opposite, that is, eth0 corresponds to the real IP address and eth1 corresponds to the virtual IP address, if this is the case, you must modify it. Otherwise, the network cannot be connected, which will be mentioned below.

It is possible that the system may be stuck on the screen when the system is started. If this is the case, we recommend that you remove a network card and reboot the system.

Ifconfig-A | more

View the currently started network card interface. The status is all set.

3.2 configuration file/etc/sysconfig/Network

If there is only one network card, we will install another network card manually. First, switch to the/etc/sysconfig directory and there is a file network with the following content:

The forward_ipv4 parameter must be set to yes to enable IP disguised conversion.

3.3/etc/sysconfig/network-scripts/ifcfg-eth1

The following files are displayed in the/etc/sysconfig/network-scripts directory:

At present we should pay attention to the ifcfg-eth0, ifcfg-eth1 these two files, after you install it only ifcfg-eth0 this file, and no ifcfg-eth1. First copy the ifcfg-eth0 to the ifcfg-eth1 and execute

CP ifcfg-eth0 ifcfg-eth1

The ifcfg-eth1 for external network card settings, according to their own device to modify, its content is:

The first line specifies the network card interface: eth1

Row 3 specifies the broadcast address: 192.192.73.255

The fourth row specifies the IP Address: 192.192.73.35

The network mask specified for the fifth line is 255.255.255.0.

The sixth row specifies the network number: 192.192.73.0

Row 7 specifies whether to enable the network card interface after the instance is started.

3.4 configuration file/etc/sysconfig/network-scripts/ifcfg-eth0

Here we directly modify the profile ifcfg-eth0 as an internal virtual network card interface, the content is:

The first line specifies the network card interface: eth0

The broadcast address specified in Row 3 is 192.168.1.255.

The fourth row specifies the IP Address: 192.168.1.1

The network mask specified for the fifth line is 255.255.255.0.

The network number specified in Row 6 is 192.168.1.0.

Row 7 specifies whether to enable the network card interface after the instance is started.

In the internal network we specified here, the network number is 192.168.1.0 and the broadcast number is 192.168.1.255. Therefore, the truly available virtual IP address is 192.168.1.1 ~ 192.168.1.254.

3.5 start the NIC

Close startup

Run ifconfig eth0 up ifconfig eth0 down

Run ifconfig eth1 up ifconfig eth1 down

3.6 set route table

After the preceding configuration file is set and started, we must create a route for the two networks ).

The route command is:

Route add-Net network address netmask Device

Network Segment real network segment Virtual Network Segment

Network (network) 192.192.73.0 192.168.1.0

Network No. (network) 255.255.255.0 255.255.0

Gateway 192.192.73.1 192.168.1.1

How to handle real CIDR block routing:

Route add-net 192.192.73.0 netmask 255.255.255.0 GW 192.192.73.1

Try to route the virtual network segment:

Route add-net 192.168.1.0 netmask 255.255.255.0 GW 192.168.1.1

Its route table is:

Route-n

In this way, two network cards are installed, and eth1 serves as the external network card (real IP address) and eth0 serves as the internal network card (virtual IP address ).

3.7 Test

Using eth1 as the internal network interface, its virtual IP address is 192.168.1.0 ~ 192.168.1.255, because the first is the network number and the last is the broadcast number, the available virtual IP address is 192.168.0.1 ~ 192.168.255.254, we set the gateway as 192.168.0.1, The subnet mask as 255.255.255.0, and 192.168.1.2 ~ The IP addresses of 192.168.1.254 are allocated to internal machines, and then the internal machines can communicate with each other ('ping'). However, to connect them out, another step is required, that is to use a program, ipchains, to achieve this goal. To solve the problem above, if you want to connect an internal machine to an external network, run the following command:

/Sbin/ipchains-a forward-s 192.168.0.0/24-D 0.0.0.0/0-J masq

/Sbin/ipchains-P forward deny

The first command will ~ Packets with 192.168.255.255 use IP spoofing to send disguised packets to a preset route to an external network.

The second command sets the preset policy of forward to deny.

You can add these two lines of commands to the/etc/rc. d/rc. Local file so that they can be executed each time they are started. The use of ipchains will be described in more detail below.

4. packet filtering Firewall ipchains

If you are using a new version of Linux, there will be an ipchains suite, you can directly use it to create a packet filtering firewall.

4.1 ipchains syntax

The options, source IP address, destination IP address, and port can be left blank, indicating all.

Ipchains Syntax:

Ipchains command input/forward/output option Source IP port Destination IP port-J destination

Example:

Ipchains-A input-P all-s 192.168.1.2-D eef.oit.edu.tw 23-J deny

4.2 ipchains command

It can be specified in two forms, expressed by full name or abbreviated form.

-- Add-A: Add new ipchains rules

-- Delete-D: Delete the first ipchains rule or an ipchains rule.

-- Insert-I inserts a new ipchains rule. You need to specify the number in the rule to insert the rule. If the number is 1, it indicates the first rule.

-- Replace-r replaces the selected rule and replaces the number in the rule.

-- List-l lists the selected ipchains rules. If no rules are specified, all rules are listed.

-- Flush-F clears an ipchains rule (for example, input, output, and forward), which is equivalent to deleting the rule.

-- Zero-Z returns the packets and bittuples in all rules to zero. It can also specify the-L, -- List (list) option to list the previous data first, then list the data for the return to zero.

-- Check-C: Check whether a packet violates the rules. This is a very useful test, including-s (source),-D (destination),-P (Protocol ), -I (Interface) is even more necessary.

-- New-N generates a new user-defined rule ).

-- Delete-chain-X: delete a user-defined rule. If no parameter is specified, it will define the rule.

-- Policy-P: only input, forward, and output can set the target policy.

-- The masquerade-M option can be used to view the current camouflage connection status (the-L option must be added), or to set the kernel camouflage parameter (-s option ).

-- Set-s to set the camouflage stop time variable

-- Help-H: list the descriptions of command syntax.

4.3 ipchains Parameter options

It can be specified in two forms, expressed by full name or abbreviated form.

Use '! 'Define the opposite meaning: Exclamation point '! 'Has the meaning of 'not', and many options can be added '! .

Example:-s! Localhost

Note: It indicates that all source addresses except localhost can be used.

-- Proto-P [!] Protocol: numbers or names can be used, such as TCP, ICMP, UDP, and all.

Example:

Ipchains-A input-p tcp-s 192.168.1.3-D eef.oit.edu.tw FTP-J deny

Note: hosts with the source address 192.168.1.3 cannot perform FTP action requests on the eef.oit.edu.tw host.

-- Source-s [!] Specifies the source address.

-- Source-Port [!] Port specifies the source port.

-- Destination-d [!] Destination Address

-- Destination-Port [!] Port of the specified destination

-- ICMP-type [!] Type name, specifying the ICMP Type

-- Interface-I [!] Network Interface Name: Lo, eth0, and eth1.

-- Jump-J specifies the target of the rule. If no target is specified, this rule is useless.

-- Numeric-N cancels DNS query and directly uses IP

-- Log-l records ipchains information in/var/log/messages.

-- Verbose-V full mode: The Interface Name, rules, and TOS camouflage are listed. The packet and bitte count are also listed and must be used with-L.

[!] -- Syn-Y: only when SYN is set will TCP packets be met

-- TOS-T type of service

[!] -- Version-V: list the version of ipchains

-- Bidirectional-B bidirectional mode 5. packet filtering Firewall ipchains operation rules

5 ipchains

5.1 ipchains rules

First, list the rules of ipchains:

Ipchains-l

There are three parts:

Input Chains: The filtering rules for input are as follows:

Ipchains-A input-p tcp-s 192.168.1.3-D 192.192.69.36 www-J deny

Prohibit the source address of 192.168.1.3 from accessing the webpage of the destination 192.192.69.36.

Forward chain: the rule for executing IP spoofing is as follows:

Ipchains-a forward-s 192.168.1.0/24-D 0.0.0.0/24-J masq

Start 192.168.1.0 ~ 255 IP camouflage

Output chain: filtering rules for output (opposite to input), for example:

Ipchains-A output-p tcp-s 192.192.69.36 www-D 192.168.1.3-J deny

Function is the same as input, except that the source address and destination address must be replaced

Each rule must comply with the situation and what to do (goal ).

For example, you may want to reject ICMP packets from IP address 192.168.1.3, so here we must ensure that the ICMP protocol and the source address must be 192.168.1.3, the destination is 192.192.69.39. This host (if not set, it is all), and the destination is 'deny '.

Command syntax: ipchains-A input-p icmp-s 192.168.1.3-D 192.192.73.35-J reject

5.2 command usage

Add a new rule-:

We add the (-a) 'input' rule to specify the packet source address ('-s 192.168.1.3') and Protocol ('-p icmp '), and the result should be rejected ('-J deny ').

Example:

Ipchains-A input-s 192.168.1.3-p icmp-J deny

Description: reject ICMP packets from 192.168.1.3.

Delete rule-D:

There are two ways to delete ipchains rules. First, we know that there is only one of the 'input' rules (the one added above) and the first one, so we can use numbers to delete ..

Example:

Ipchains-D input 1

Note: Delete the first entry in the input rule.

The second method is similar to adding a new rule, except that adding (-A) is replaced with deleting (-D ), this method is useful when you set a lot of rules. You don't have to count the number of rules you need to follow, of course, it must be exactly the same.

Example:

Ipchains-D input-s 192.168.1.3-p icmp-J deny

5.3 specify the protocol type

Use '-p' to specify the protocol type. The protocols are divided into 'tcp' (Transmission Control Protocol), 'udp '(User datationgprotocol), and 'ICMP' (Internet Control Message Protocol) or all (all). The Protocol is not case sensitive and can be replaced by numbers.

Various protocols are specified in/etc/protocols. Among them, TCP is 6, UDP is 17, and ICMP is 1.

TCP (Transmission Control Protocol ):

It is located at the application layer. If applications (HTTP, FTP) require highly reliable data transmission methods, TCP can be used. TCP will check whether the data arrives securely. Otherwise, the data will be resent. The transmitted data is converted into a data segment in TCP format and processed by the IP protocol at the network layer. Each piece of data contains a check value, which is used by the receiver to verify whether the data is damaged, if the received information is not damaged, it will be returned and confirmed; if the information is damaged, it will be discarded. TCP is reliable and linear.

UDP (user data agreement ):

The application layer allows applications to directly use the packet transmission service, such as the IP Delivery Service. The UDP protocol does not check whether the packets arrive at the destination safely, so the transmission speed is fast, but it is an unreliable, non-linear packet protocol.

ICMP (Network Control Message Protocol ):

As part of the Internet layer, IP packets are used to send its messages. ICMP messages are executed to detect remote machine operation ('ping ') data Stream Control (when the packets arrive too fast to be processed, the target host returns an ICMP Source suppression message to the sender, telling the data source to temporarily stop sending packets ).

ICMP does not have a port, but it still has its option parameter that can be used to select the ICMP type.

You can specify the ICMP name or number (you can execute ipchains-h icmp to list detailed names ).

5.4 specify UDP and TCP ports

IP address of the specified source and destination-s-d:

There are three types of representation: Source (-S) and destination (-d:

Use the complete primary name, for example, 'mouse .oit.edu.tw 'or 'localhost'

Use an IP address, for example, '192.73.36'

IP addresses in a certain range are allowed, for example, '192.73.0/24' or '192.73.0/255.255.255.0 ~ The IP address of 192.192.73.255.

The number in the slash ('/') indicates the IP address, '/24' indicates 255.255.255.0, and'/32' indicates 255.255.255.255. The more important one is '123', indicating all.

Example:

Ipchaoins-A input-s 0/0-J deny

Note:

'20140901' indicates that all source IP addresses are rejected. You can also specify all source IP addresses without the '-S' parameter.

5.5 important target

In addition to specifying the protocol, you can also specify its port segments.

For example:

Port 80 of all source addresses, 80 of which can also be expressed as 'www'

-P tcp-s 0.0.0.0/0 80

Assume that TCP packets can reach any port of 192.168.0.1, except for the WWW Port:

-P tcp-D 192.168.0.1! WWW

Exclamation point '! 'Place address can also be specified as follows:

-P tcp-D! 192.168.0.1 WWW

It can also be expressed as a port that is not 192.168.0.1 or www:

-P tcp-D! 192.168.0.1! WWW

5.6 log record/var/log/message

If you add the '-l' option, the ipchains information will be recorded in the/var/log/message file, in the standard Linux system, the Output Message of the kernel is recorded by the klogd (kernel Logging Daemon. The record is:

Jul 18 11:38:28 WWW kernel: Packet Log: Input reject eth0 proto = 1

(1) (2) (3) (4) (5) (6) (7) (8)

192.168.1.3: 8 192.168.1.1: 0 L = 60 seconds = 0x00 I = 7476 f = 0x0000 T = 32

(9) (10) (11) (12) (13) (14) (15)

Ipchains record:

(1) Date and Time

(2) Host Name

(3) Use kernel to record

(4) indicates that messages are generated from ipchains.

(5) Rules used: Input

(6) Rule target: Reject

(7) network card interface for packets: eth0

(8) Protocol Number: 1 (ICMP), 6 (TCP), 17 (UDP)

(9) source IP address and port

(10) Destination IP address and port

(11) Encapsulation Length

(12) TOS (type of service)

(13) IP ID

(14) Data Segment offset

6. ipchains example

Here, users should be reminded not to use ipchains through remote login, because they often leave themselves out of the room and cannot enter their homes. Sometimes, in order to test and disable the Telnet function, in this way, I can't even Telnet myself. Of course, it is inevitable to go to the host and modify it.

Disable all services:

For security reasons, we need to close all internal and external windows. Executing the following commands will reject the preset policies for incoming, outgoing, and forwarded packets, this step should be done at the end of your journey, because if all the deny rules are set first, the accept rules set later will be replaced by the previous deny.

Ipchains-P input deny

Ipchains-P forward deny

Ipchains-P output deny

Start the disguised service of the virtual IP Address:

Set the internal virtual IP address 192.168.0.0 ~ 255 enable IP packets to be transferred to external networks so that they can be connected to any external network.

Ipchains-a forward-s 192.168.0.0/24-D 0.0.0.0/0-J masq

7. Use ipchains-Save and ipchains-restore to store the set value.

Ipchains has two programs to store and reverse store the rules we set. ipchains-save can store one or all rules, which are command files, the System reads the ipchains configuration file and stores it as a file. You can add the-V parameter to list detailed actions.

Example:

Ipchains-save-V> filename

Result:

To restore ipchains rules, run the following command:

Use Webmin to manage ipchains

After reading the above instructions, readers may feel very difficult. In fact, we can also manage ipchains firewalling in third party modules of Webmin, as shown in:

There are five security levels: Disable, low, medium, high, and full, or custom rules.

8. Traffic Statistics

Http://www.ntop.org/is a network usage monitoring software, in interactive mode, ntop will display the network usage on the user's terminal screen. In Web mode, ntop will generate web pages containing network usage like Web server and send them back to the user's browser. There is a ntop-1.3.1 in RedHat 7.0 powertools.-2. i386.rpm, so use in RedHat 7.0

Rpm-IVH ntop-1.3.1.-2. i386.rpm

Install and run ntop-D. The following figure shows the Web output: (the author uses version 1.1)

9. Traffic records
Snort (http://www.snort.org) is a sophisticated network intrusion detection software (IDS ). It has the ability to perform real-time traffic analysis and packet record, and provides protocol analysis and packet content search. It can be used to detect various attacks and investigations (such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS Fingerprinting attempts, etc ). Snort uses flexible rule based language to set which traffic should be collected and which should be released. He also has a modular detection engine. Snort has the feature of instant warning. Its Warning Mechanism can use syslog, user-defined files, UNIX socket, or use samclient to transmit winpopup messages to users of Windows client. (From linuxfab. CX)
get the snort-1.6.3.tar.gz and then perform the following steps to install:
tar xvfz snort-1.6.3.tar.gz
Cd snort-1.6.3
. /configure
make install
here, I will only introduce the packet record function. Other functions will be described later. Assume that we can execute snort-c-d-L/home/httpd/html/snort on the homepage of the record file. The result is as follows:
of course, I have made some security management, otherwise all the network secrets will be exposed. Besides, because all the information is recorded, the archive President is very fast, so if you really want to record this, pay attention to the control details. Let's take a closer look.
have you seen the user? The next step is pass .......