Teach you completely free self-built Linux firewall

A firewall is a software or hardware product that establishes a security barrier between a trusted network and an untrusted network. The Linux operating system kernel has packet filtering capability. The system administrator can set up a set of rules through the management tool to establish a Linux-based firewall. This set of rules is used to filter the packets or hosts received or sent by the host from one network card to another. The package, with an idle PC, can replace expensive dedicated firewall hardware, which is worthy of reference for some SMEs or departmental users. First, the type of firewall and design strategy When constructing a firewall, two methods are often used, packet filtering and application proxy services. Packet filtering refers to the establishment of packet filtering rules. Based on these rules and the information of the IP header, the network layer determines whether to allow or reject the packet. If the use of FTP is allowed or prohibited, but FTP-specific functions (such as the use of Get and Put) cannot be disabled. The application proxy service is completed by a proxy server located between the intranet and the extranet. It works at the application layer and proxies various service requests for users to enter and leave the network, such as FTP and Telenet. Currently, firewalls generally use dual-homed firewalls, screened hosts (ScreenedHostFirewall), and screened subnets (ScreenedSubnetFirewall). A dual-homed machine architecture means that at least two network interfaces of the computer hosting the proxy service task are connected between the internal network and the external network. The shielded host structure means that the computer that undertakes the proxy service task is only connected to the host of the intranet. The shielded subnet structure adds an additional layer of security to the structure of the shielded host, which adds a perimeter network and further separates the internal and external networks. Firewall rules are used to define which packets or services are allowed/rejected. There are two main strategies. One is to allow any access first, then to indicate the rejected item; the other is to reject any access first, and then specify the allowed items. In general, we will adopt the second strategy. Because from a logical point of view, specifying a smaller list of rules in the firewall allows to pass through the firewall, it is easier to implement through a firewall than specifying a larger list. From the perspective of the development of the Internet, new protocols and services are constantly emerging, and there is time to review security vulnerabilities before allowing these protocols and services to pass through the firewall. Second, the realization of the Linux-based operating system firewall The Linux-based operating system-based firewall is a composite firewall consisting of a packet-filtering firewall and packet filtering and proxy services built with the packet filtering capabilities of its kernel. Let's take a look at how to configure a dual-host Linux-based firewall. Since the kernels of Linux are different, the method of setting the packet filtering provided is different. IpFwadm is based on ipfw in Unix, it only works with kernels before Linux 2.0.36; for Linux 2.2 and later, Ipchains is used. IpFwadm and Ipchains work in a similar way. Of the four chains configured with them, three are defined at the Linux kernel startup: InputChains, OutputChains, and ForwardChains, plus a user-defined chain. (UserDefinedChains). The entry chain defines the filtering rules for incoming packets. The outgoing chain defines the filtering rules for outgoing packets. The forwarding chain defines the filtering rules for forwarding packets. These chains determine how to handle incoming and outgoing IP packets. When a packet comes in from the network card, the kernel uses the rules of the incoming chain to determine the flow of the packet. If allowed, the kernel determines where the packet will be sent next. If it is sent to another machine, the kernel uses the rules of the forwarding chain to determine the flow of the packet; before a packet is sent out, the kernel uses the rules of the outgoing chain to determine the flow of the packet. Each rule in a particular chain is used to determine the IP packet. If the packet does not match the first rule, then the next rule is checked. When a matching rule is found, the rule specifies the target of the packet. The target may be a user-defined chain or Accept, Deny, Reject, Return, Masq, and Redirect. Among them, Accept means permission; Deny means rejection; Reject means to discard the received packet, but generate an ICMP reply to the sender; Return means stop rule processing, jump to the end of the chain; Masq means to user-defined chain and outgoing chain The role is to make the kernel masquerade this package; Redirect only works on the incoming chain and the user-defined chain, so that the kernel will redirect this packet to the local port. In order for Masq and Redirect to work, we can select Config_IP_Masquerading and Config_IP_Transparent_Proxy when compiling the kernel. Suppose there is a LAN to connect to the Internet, the public network address is 202.101.2.25. The private address of the intranet uses the Class C address 192.168.0.0 to 192.168.255.0 as specified in RFC1597. For the convenience of explanation, we take 3 computers as an example. In fact, it can be expanded to a maximum of 254 computers. The specific steps are as follows: 1. Install two network cards ech0 and ech1 on one Linux host, and assign an internal network private address 191.168.100.0 to the ech0 network card to connect with the intranet; assign a public network address 202.101 to the ech1 network card. .2.25, used to connect to the Internet. 2. Set the entry, forward, outgoing, and user-defined chains on the Linux host. This article first allows all information to flow in and out, and also allows forwarding packets, but prohibits some dangerous packages, such as IP spoofing packets, broadcast packets and ICMP service type attack packets. The specific settings are as follows: (1) Refresh all rules (2) Set initial rules (3) Set local loop rules The packets between local processes are allowed to pass. (4) Prohibit IP spoofing (5) Prohibit broadcast packets (6) Set ech0 forwarding rules (7) Set ech1 forwarding rules Save rules to /etc/rc.firewallrules file, and use chmod to give the file execution permission, in /etc Add a line /etc/rc.firewallrules to /rc.d.rc.local so that these rules take effect when the system boots. Through the configuration of the above steps, we can build a packet filtering firewall based on the Linux operating system. It has the advantages of simple configuration, high security and strong resilience, especially the use of idle computers and free Linux operating system to achieve the minimum investment and maximum output of the firewall. In addition, if you add a proxy server, such as the TIS Firewall Toolkit free software package, you can build a more secure composite firewall.