The implementation of Linux network firewall is not difficult! (1)

The following articles describe how to implement the Linux network firewall correctly. If you are curious about the technology for implementing the Linux network firewall, the following articles will give you a more detailed introduction. As we all know, firewall is an important means to ensure network security as a mechanism to enforce access control between networks or systems.

You can customize different firewall systems based on different requirements and application environments.

Implement Linux Network Firewall

As a mechanism to enforce access control between networks or systems, firewall is an important means to ensure network security. You can customize different firewall systems based on different requirements and application environments.

The firewall can be large enough to consist of several routers and bastion hosts, or small to the packet filtering function provided by a firewall software package on the network operating system.

Among many network firewall products, the firewall software on Linux operating systems has significant features. First, the Linux operating system, as a Unix-like network operating system, has unique advantages in terms of system stability, robustness, and low price. More importantly, Linux not only completely opens the source code, but also contains all the service software packages required to establish an Internet network environment, such as ApacheWeb server, DNS server, Mail server, and Database server. Similarly, Linux-based firewall software not only has powerful functions, but most of them are open software.

With the rapid development of the Internet, security issues become more and more important. Using Linux to build a corporate network is favored by small and medium-sized enterprises, and using Linux to build a corporate network firewall system has become an ideal choice for many small and medium-sized enterprises.

The Linux kernel has been available for package filtering since version 1.1. In kernel 2.0, Ipfwadm is used to operate the kernel's packet filtering rules. By Version 2.2, the Linux kernel uses Ipchains to control kernel packet filtering rules. When it develops to 2.4.x, Ipchains is replaced by Iptables, a brand new package filtering management tool. The new version 2.6 kernel has also been improved in terms of security. Therefore, no matter which version of Linux kernel you have, no matter which version of Linux you choose to build your own enterprise network, you can use the existing system to build an ideal and practical firewall.

The firewall system can be divided into three basic types: package filter, application gateway (also called proxy server firewall), and firewall gateway. The firewall software package provided by Linux is built into the Linux kernel and is a firewall Implementation Technology Based on packet filter. The central idea is to control the flow of packets based on the source address, destination address, and package type information in the network layer IP address header. The more thorough filtering is to check the source port, destination port, connection status, and other information in the package.

This article mainly introduces the Linux IPFW, Ipchains, Iptables, which are very useful firewalls and specific implementations.

IPFW Firewall

IPFW is a firewall software package provided by older Linux kernel versions. The full name of this software package is Ipfwadm. The Ipfwadm package provides the ability to establish rules based on these rules to determine which packages are allowed to access the network. To put it simply, the firewall is a pair of switches. One switch allows packets to pass, and the other switch disables packets to pass. Modern firewall systems generally include multiple functions such as audit tracking, encryption and authentication, address camouflage, and VPN. As a security switch, the firewall can define two security policies:

(1) All unpermitted items are prohibited;

(2) All unbanned items are allowed.

Obviously, the security of Policy 1 is significantly higher than that of Policy 2, but it increases security at the cost of flexibility and accessible resources. The Ipfwadm system also provides IP encapsulation, which allows users to use a public IP address space on the Internet.

The following uses the Red Hat system as an example to describe the implementation of IPFW firewall on Linux.

Install the Ipfwadm firewall on the Red Hat system (the same as on other systems). Log On As the root user and run the following command:

# Rpm-ivh/mnt/cdrom/RedHat/RPMS/Ipfwadm-2.3.0-5.i386.rpm

After Ipfwadm is installed, you can specify Ipfwadm packet filtering rules in interactive mode. The filter rule checks Each IP packet that enters the system to determine which packets are allowed to pass through the firewall and which packets are not allowed to pass. The common format of the Ipfwadm command is:

/Sbin/ipfwadm category commands parameters [options]

Ipchains and IP Spoofing

In the updated Linux kernel, Ipchains replaces Ipfwadm and provides a more rigorous packet filtering control mechanism. Ipchains provides complete firewall functions, including packet filtering, address disguise, and transparent proxy.

The Ipchains provided in the Linux 2.2 kernel provide firewall rule control through the list of four types of firewall rules. These lists are called firewall links. These are IP input chain, IP output chain, IP forward chain, and user-defined chain ). A chain is actually a rule table. The so-called rule, that is, when the checked packet header meets the rule definition, it will be processed according to the pre-set. An input chain is a filtering rule for internal connection requests, an output chain is a filtering rule for external connection requests, and a forwarding chain is a filtering rule for internal and external communication packets; user-Defined links are user-defined rules.

When a packet enters the Linux Firewall System, the Linux kernel uses the input chain to determine the operation on the packet. If the packet is not discarded, the kernel uses the forwarding chain to determine whether to forward the packet to an exit. Before the packet arrives at an exit, the kernel uses the output chain to determine whether to discard the packet or forward the packet. In the above process, if the input chain has decided to process this package, the core needs to decide where the next package should be sent, that is, routing. If the packet is sent to another host, the core uses the forwarding chain. If no matching setting is found, the packet needs to enter the next chain specified by the target value, the target value may be a user-defined chain or a specific value. For example:

ACCEPT is allowed.

DENY is discarded directly.

The REJECT discards and sends an ICMP reply to notify the sender that the packet is discarded.

The MASQ notification core disguise the packet. This value only applies to the forwarding chain and user-defined chain.

REDIRECT notifies the core to change the packet to a local port. This value only applies to the input chain and user-defined chain, and can only be used by UDP and TCP Protocols. RETURE notifies the kernel to skip all rules of the package and directly reach the end of all chains.

You can configure IP Spoofing on the IP address chain forwarding link in Linux. In fact, IP spoofing is a safer solution than the packet filtering policy. It not only provides a security mechanism, but also solves the problem of insufficient IP Address Resources in the Internet. IP spoofing allows a computer to disguise its real IP address as another address when accessing the Internet. If a host connected to the Internet has an IP disguised function, the host can be connected to the Internet either through a LAN or through PPP dialing. Although such a host does not have its own formal IP address when using PPP.

This means that a host can be hidden behind a gateway to access the Internet, allowing the host to access the Internet, it also realizes the invisible (hidden) of its access to the outside world ). Obviously, this kind of concealment makes the system very secure. Because the outside world cannot realize the existence of the host, it is impossible to perform access operations on the host, not to intrude into and crack the host. Generally, the private address reserved by IANA is used for disguise.

When a host on the internal network sends an IP packet to the Internet, the kernel replaces the source IP address with the IP address of the gateway, record the disguised IP address and then forward the packet. When the Internet response packet of this package enters the gateway from the Internet, the Kernel performs the operation to remove the IP disguised, replacing the destination address with the internal address.

Through proper settings, IP spoofing can be implemented on a certain network segment, a host, an interface, a protocol, or even some ports of a specific protocol, which is very flexible. IP spoofing can block the details of the internal network from the external network. Therefore, IP spoofing provides good security.

Generally, when you install a Linux System of the corresponding version, the system automatically installs Ipchains. If the system does not install the IP link software package, you can download the software package from the CD or the Internet.

Run the following command to install the rpm package:

# Rpm-ivh *. rpm

If it is a .tar.gz package, you must first decompress the package:

# Tar xvfz * .tar.gz

Then run the following command in the decompressed directory to complete installation:

#./Configure

# Make

# Make install

In this way, the IP link Linux network firewall is successfully installed in the system. After Ipchains is successfully installed, start and configure the packet filtering rules. To enable Ipchains, you must complete the following operations:

Manually modify the/proc/sys/net/ipv4/ipforward file and set its content to 1.

Run the touch command in the/etc/rc. d/directory to create the rc. ipfwadm file.

Add the following code to the rc. local file in the/etc/rc. d directory:

If [-f/etc/rc. ipfwadm]; then/etc/rc. d/rc. ipfwadm; fi;

In this way, all the configuration commands of Ipchains will be modified in the rc. ipfwadm file.

Like IPFW, Ipchains also filters packets based on configuration policies. The following two methods are used:

(1) Allow all packages to pass, and then prohibit dangerous packages;

(2) deny all packages first, and then allow a specific package to pass according to the required service.