Teach you how to build a Linux system firewall for free

Article Title: Teach you how to build a Linux system firewall for free. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Firewall is a software or hardware product that establishes a security barrier between a trusted network and an untrusted network. The Linux operating system kernel has the packet filtering capability. The system administrator can set a set of rules through a management tool to create a Linux-based firewall, use this set of rules to filter packets received and sent by the host, or packets forwarded by the host from one Nic to another. Use an idle PC to replace expensive specialized firewall hardware, for some small and medium-sized enterprises or department-level users, it is worth reference.

I. Firewall types and design strategies

When constructing a firewall, packet filtering and application proxy services are usually used. Packet filtering refers to the establishment of packet filtering rules. Based on these rules and IP packet header information, the network layer determines whether to allow or REJECT packets. If FTP is allowed or prohibited, but FTP-specific functions (such as Get and Put) cannot be prohibited ). The application proxy service is completed by a proxy server located between the Intranet and the external network. It works at the application layer and acts as a proxy for various service requests from users, such as FTP and Telenet.

Currently, firewalls generally use Dual-homedFirewall, ScreenedHostFirewall, and ScreenedSubnetFirewall. A dual-host structure refers to a computer that undertakes proxy service tasks with at least two network interfaces connecting to the Intranet and the external network. The shielded host structure means that the computer responsible for proxy service tasks is only connected to the host on the Intranet. The subnet shielding structure adds an additional security layer to the host shielding structure, that is, the surrounding network is added to further separate the Intranet from the external network.

Firewall Rules are mainly used to define which packets or services allow/reject the pass. One is to allow any access and then specify the denied items; the other is to deny any access and then specify the allowed items. Generally, we adopt 2nd policies. From the logic point of view, it is easier to specify a small rule list in the firewall to pass through the firewall. From the perspective of the development of the Internet, new protocols and services are constantly emerging. Before these protocols and services are allowed to pass through the firewall, there is time to review security vulnerabilities.

　　II. Implementation of Linux operating system firewall

A Linux-based firewall is a composite firewall that uses the packet filtering capability of its kernel to establish a packet filtering Firewall and a combination of packet filtering and proxy services. Next, let's take a look at how to configure a dual-host Linux-based firewall.

Because the Linux kernel varies, the packet filtering settings are different. IpFwadm is based on ipfw in Unix. It is only applicable to kernels earlier than Linux2.0.36. For Versions later than Linux2.2, Ipchains are used. IpFwadm and Ipchains work in similar ways. Three of the four chains configured with them are defined at startup of the Linux kernel, including InputChains, OutputChains, and ForwardChains ), there is also a user-defined chain (UserDefinedChains ). The entry chain defines the inbound packet filtering rules, the outbound chain defines the outbound packet filtering rules, and the forwarding chain defines the forwarding packet filtering rules.

These links determine how to handle incoming and outgoing IP packets. When a packet comes from the NIC, the kernel uses the inbound rules to determine the packet flow, the kernel determines the next packet to be sent. If the packet is sent to another machine, the kernel uses the forwarding chain rules to determine the packet flow. Before a packet is sent, the kernel uses outbound chain rules to determine the packet flow. Each rule in a specific chain is used to determine the IP package. If the package does not match the first rule, check the next rule. When a matching rule is found, the rule specifies the target of the package, which may be a user-defined chain or Accept, Deny, Reject, Return, Masq, and Redirect.

Here, Accept indicates allow; Deny indicates Deny; Reject indicates discarding the received packet, but generating an ICMP reply to the sender; Return indicates stopping the rule and jumping to the end of the chain; masq indicates that the package is disguised by the kernel for user-defined chains and outbound chains. Redirect only applies to the entry chain and user-defined chains so that the kernel can change the package to the local port. To enable Masq and Redirect to work, we can select Config_IP_Masquerading and Config_IP_Transparent_Proxy when compiling the kernel.

Assume that a LAN is connected to the Internet and the public network address is 202.101.2.25. According to RFC1597, the private address of the Intranet uses the class C address 192.168.0.0 ~ 192.168.255.0. For convenience, we use three computers as an example. In fact, it can be expanded to a maximum of 254 computers.

The procedure is as follows:

1. install two NICs ech0 and ech1 on a Linux host, and assign an Intranet private address 191.168.100.0 to the ech0 Nic to connect to the Intranet; assign a public network address 202.101.2.25 to the ech1 Nic to connect to the Internet.

2. configure access, forwarding, outbound, and user-defined links on a Linux host. This article uses the rules that allow inbound and outbound information and forward packets, but prohibit some dangerous packets, such as IP spoofing packets, broadcast packets, and ICMP attack packets.

The specific settings are as follows:

(1) Refresh all rules

(2) set initial Rules

(3) set local loop rules

Packets between local processes can pass.

(4) IP spoofing prohibited

(5) prohibit broadcast packets

(6) set ech0 forwarding rules

(7) set ech1 forwarding rules

Save the rule to/etc/rc. in the firewallrules file, use chmod to grant the File Execution permission. In the/etc/rc. d. rc. add/etc/rc to local. firewallrules, so that these rules will take effect when the system starts.

Through the configuration above, we can establish a packet filtering firewall based on the Linux operating system. It has the advantages of simple configuration, high security and strong resistance. In particular, it can use idle computers and free Linux operating systems to build a firewall that minimizes investment and maximizes output. In addition, if a proxy server, such as TIS Firewall Toolkit free software package, is added to the package filtering, a safer compound Firewall can also be built.