Using Iptables to build Linux firewalls (1)

Firewalls in the campus have been considered a dark and profound, few have the courage to carry out the planned experiment, basically this handout can also be used as a test report to read, is the author uphold I do not go to hell, who into the spirit of hell, risking their lives dangerous, reckless out of the results, but also by this, Hope to drive domestic capacity higher than the author many of the Masters, together to carry out the benefit of campus network research!

One, what is a firewall

A firewall is a set of hardware and software devices that can be separated from each other by two or more than two networks, clearly separating the physical lines. Separated by the network, you can through the packet forwarding technology to communicate with each other, through the firewall security management mechanism, you can decide which data can be circulated, which data cannot be circulated, so as to achieve the purpose of network security.

Firewall products can be roughly categorized as hardware firewall and software firewall, but in fact, whether it is a hardware or software firewall, they need to use hardware as an online interface, but also need to use software to set security policy, strictly speaking the difference between the two is not too big. We can only distinguish between the hardware and the operating system used, the hardware firewall is the use of proprietary hardware, while the software firewall uses the general computer hardware, the hardware firewall uses the proprietary operating system, while the software firewall uses the general operating system.

Firewalls are categorized according to how they operate, which can be distinguished as packet-filtering firewalls (Packet filter), application-layer gateway Firewall (Application-level Gateway, also known as Proxy Firewall), Circuit-layer Gateway Firewall ( Circuit-level Gateway). Which is widely used is the packet-filtering firewall, this article to introduce the iptables firewall is belong to this kind.

Packet filtering is the earliest implemented firewall technology, which operates in the IP layer under the TCP/IP four-tier architecture. The main function of packet filter is to check every IP packet if the contents of the data contained in its header are in accordance with the setting of the filter condition, the main processing methods include: Release (Accept), discard (drop) or reject (reject). To carry out packet filtering, the firewall must be able to analyze the source IP and destination IP through the packet, and also must be able to check the packet type, source port number and destination number, packet flow, packet access to the firewall network interface, TCP online status and other data.

Firewalls for a variety of reasons prices have been high, for poor primary and secondary schools to buy a firewall, it is simply impossible task, and because of the popularity of Linux, using Linux as a software firewall, seems to be a good solution, this article is intended to introduce the latest Linux on the most powerful iptables firewall software, built for the use of school filtering rules, so that the lack of money in schools can have a good firewall to guard the door of the campus network.

A brief history of Linux firewall evolution

Linux, the first appearance of the firewall software known as IPFW,IPFW through the IP packet header analysis, to identify the source of the packet IP and destination IP, packet type, source port number and target port number, packet flow, packet into the firewall network interface. And so on, and by this analysis of the results to be compared to the rules of packet filtering, at the same time also support the function of IP camouflage, use this function can solve the problem of IP, unfortunately this program lacks flexible design, can not establish the rule of the set (ruleset) For more streamlined settings, but also the lack of Web site translation function, Unable to cope with the increasingly complex network environment, and gradually be eliminated.