Recently, when Internet applications swept across the world, the "Network Security" issue also began to concern most people, based on this problem, the product of "Firewall" (Firewall) was developed to prevent the intrusion of non-fast customers in the external network. This article will combine "Firewall" and "Linux" to introduce you to build a Linux Firewall.
Old Linux friends and new friends haven't met each other on paper for a long time. I hope I can use this rare opportunity to share my experiences with you in a short article.
Since the National Information Highway NII) was promoted, TANET, SeedNet, and HiNet have been operating hard, and Internet has almost become a hot topic of various magazines, "joining the Internet and using the Internet" has become a way to build a corporate image. In an Internet turmoil, some people began to worry about the so-called "Network Security" problem. Because of the openness of the Internet, it benefits all members, but also because of its openness, it is necessary to consider this "Network Security" issue. This time we will talk about the topic-"Firewall" Firewall for this reason) is a product based on this "Network Security" consideration.
We can set up a machine with the Firewall function between the internal network and the external network to filter the data transmitted between the two networks, then, you can restrict the network functions that different users can use through software settings. The information to be transmitted from the external network to the internal network must be transferred by setting the Firewall machine, information on the internal network is also transmitted to the destination on the external network through Firewall. As a Firewall machine, it becomes a transit station between networks. Therefore, when an alien visitor arrives, his footsteps only reach Firewall, so the worst case is that the Firewall machine was destroyed !!」, However, the internal network is able to escape and "survive". This price seems worth the cost, based on the principle of sacrificing the ego to complete the big ego.
Although such procedures seem cumbersome, they can also prevent intrusion by customers who are not quickly on the external network to ensure the security of the internal network. On the other hand, the internal network can also be restricted to external network communication, and another layer of network traffic control can be implemented. Of course, for this security problem, we have to sacrifice a lot of "convenience" and "Speed", but there is always a way to make up for it, these will be what we are about.
The Firewall setup type is not unique. It depends on the operating system and the functions of the Firewall software. The above figure is the simplest Firewall architecture. After talking about some of the Firewall terms above, we have to combine them with our main character "Linux" and start to truly jump into our focus-"How to build a Firewall using Linux 」.
Add Firewall to Linux core
Since the Kernel compilation settings after Linux1.2.x, The CONFIG_FIREWALL option has been added, which is related to the call function of several systems. Therefore, if you want to set Linux as a machine with Firewall, you must first confirm that the LinuxKernel used has included the Firewall function !!
Of course, the most stable way is to recompile the LinuxKernel and set CONFIG_IP_FIREWALL to "Yes ". Note that when setting up the most basic LinuxFirewall function, you must remove the IP_Forwarding function of the LinuxMachine. Therefore, when "makeconfig" is executed for processing the re-Compilation of the Kernel, Please carefully consider the following options.
1. NetworkSupport (CONFIG_NET) [y]
2. TCP/IPnetworking (CONFIG_INET) [y]
3. IPforwarding/gatewaying (CONFIG_IP_FORWARD) [n]
4. IPfirewalling (CONFIG_IP_FIREWALL) [y]
5. IPaccounting (CONFIG_IP_ACCT) [y]
6. If the SLIP or PPP driver uses a dial or leased line for external connections)
Ex: PPP (Point-to-point) support (CONFIG_PPP) [y]
7. When the personal network card driver is used to connect to the internal regional network)
Ex: NE2000/NE1000support (CONFIG_NE2000) [y]
Then, execute the "makedep; makeclean; makezImage" and so on. This is related to the detailed re-Compilation of the Kernel. Please refer to the detailed descriptions in the previous several monthly CD series)
Note: In the development of Linux1.3.x, another Firewall function will be added, called ip_masquerade. It is used to change the current method of data transfer from external software to internal processing by Kernel, it sounds pretty good news, but they are still in the development and testing phase. I 'd like to tell you that if you want to be safe, don't use it first, and enjoy it after the operation is stable)
After a new Kernel is generated, move the generated zImage or vmlinuz to the root directory or another startup directory. Then, if you use LILO, run LILO again, update the startup information, and then restart Linux.
After entering the new Linux system, to ensure that the/proc/net/snmp content is observed, the execution method is as follows:
Simon:/proc/net # catsnmp
1. → Ip: ForwardingDefaultTTLInReceivesInHdrErrors... omitted)
2. → Ip: 06412000001212000000000
Icmp: InMsgsInErrorsInDestUnreachsInTimeExcds... omitted)
Icmp: 00000000000000000000000000
Tcp: RtoAlgorithmRtoMinRtoMaxMaxConnActiveOpens... omitted)
TCP/IP: 000000000000
Udp: inmo-ramsnoportsinerrorsoutw.rams
Udp: 120012
Compare the description and content values of 1. 2. If the first value of 2. is 0, IP_Forwarding is not included in the Kernel. Therefore, run this command to check whether the IPForwarding function has been disabled !!
Set network address
After determining that Linux has the Firewall function, the next thing we need to do is to set the network address. First, we need to process the external part. Since this Linux needs to be connected externally, then, of course, there should be an authorized named address, which is unique. In terms of Internet, this network address IPAddress is the only one in the world and cannot be the second one. Otherwise, there will be a fight, so you don't need to worry too much !! However, because the external address must be unique, you must consider extending the IP address of the internal network by one point. Otherwise, if an internal machine and an external network address are the same, the Firewall machine may not know how to transmit data to the correct location.
The following lists the IP address ranges reserved for internal networks:
10.0.0.0-10.20.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
If necessary, you may wish to set the internal network address that does not exist in the Internet within this range, so as not to affect FirewallMachine's data transfer errors.
Test the network line
The next step is to test the network connection. Note that Linux is a FirewallMachine at this time. Therefore, machines on the Intranet cannot be directly connected to external machines, machines on the same external network cannot directly connect to machines on the internal network, but they should be able to connect to this Firewall.
Therefore, we need to test whether the connection between the LinuxFirewallMachine and the external network is normal, and then test whether the connection between the machine on the internal network and the Linux can be maintained normally.
Never try to connect machines on the Intranet directly to an external machine. This is impossible in theory and practice because of Firewall, 2. Any machine on the Intranet except this Firewall) is not a member of the external network, that is, there is no dedicated network address IPAddress ).
Set the network restriction function
The purpose of building Firewall is to consider security. Although the Firewall can be blocked to some extent, if all the network functions are enabled on this Firewall, it will not be completely public, this seems inappropriate. Therefore, to achieve the purpose of security control, it is necessary to slightly limit the network programs provided on FirewallMachine.
How can I limit the network functions provided on FirewallMachine? You only need to modify the file "/etc/inet. conf" as root. Add annotations to the network functions you are not directly using on Firewall. In general, it is used to save the functions of file transmission and terminal simulation, and the program related to system information is disabled at, bootp, fingerd ....) prevent others from using these programs to obtain information about the current situation of the machine.
Set ProxyServer
In this Firewall environment, all the information related to the external network must be connected through this Firewall. In this way, if you want to Telnet to the external network, you must first Telnet to FirewallMachine and then Telnet to the outside, that is to say, "everything has to be done by others." Think about it, if someone wants to play WWW internally, why not? "ProxyServer" is an answer to this question. Next time we will continue to explain how to create the ProxyServer SOCKS4.2 on LinuxFirewallMachine.
How to execute Linux, Trumpet, and Netscape on machines on the internal network to connect to the external network through the LinuxFirewall !!!. In this way, we can use this method to enable several machines and use an InternetIPAddress to connect to the international network to play !!!