Linux Firewall

1. Introduction to Firewalls Firewall Concept Firewalls can filter datagrams and restrict specific services by formulating a series of rules. However, firewalls cannot ensure that hosts are secure. Firewalls cannot effectively resist viruses or Trojans. Attacks from within the network cannot be protected

Specific functions of the firewall (including but not limited to) ● Restrict the FTP service to only open to subnets, but not to the external network. ● Limit the server to accept only WWW requests from clients. Other services are provided. ● Restricted connections can only be initiated by the host where the firewall is located. ● Restrict certain data packets from entering certain ports of the host. ● Restrict datagrams from hosts with specific IP addresses. ● Limit datagrams of specific status, such as SYN packets. Packets with specific MAC addresses

Need to consider before setting up the firewall ● Trusted IP address or network segment and untrusted IP address or network segment ● Services that the host can provide and protected services ● Host can receive And can't receive Datagram status (such as SYN packet, FIN packets)

Firewall Firewall category is divided into hardware and software firewalls. The hardware firewall is a function that writes the firewall program into the hardware and implements the firewall by the hardware. The software firewall is implemented by software in the operating system, including Netfilter and TCP Wrappers. (The latter is all about software firewalls). According to the management scope, the firewall can be divided into a network segment type and a single host type. According to the function, the Netfilter is filtered according to the datagram and the TCP Wrappers are filtered according to the program. Netfiler filters according to the data in the datagram, such as MAC address, IP address, and the type or status of datagrams such as TCP, UDP, and ICMP. TCP Wrappers filter data according to the program name. For example, you need to limit the FTP service. Just limit the vsftpd program.

Firewall Network Cabling The firewall not only protects the host where the firewall is located, but also protects the host behind the firewall, such as setting up the firewall on the router. The firewalls are mainly wired: ● The firewall is installed on the router between the local network (LAN) and the external network to protect the hosts on the local network, or to set up a proxy server on the firewall between the local network and the external network. So that the client can only connect to the open WWW server. ● Set up a firewall in the local network to prevent internal personnel from damaging important services due to misuse. ● Deploy the firewall between the server and the external network. For example, multiple servers share a firewall. Using the same IP to provide external services, the security is greatly improved, and because the server is located between two firewalls, the internal network has problems, will not affect the server

2, TCP Wrappers TCP Wrappers first check the client needs to connect The service name ** supports **TCP Wrappers. If it supports support, check whether /etc/hosts.allow contains the client's IP address. If there is, allow data to enter the host. If not, check /etc/hosts.deny. Does the file have the client's IP address, and if so, reject the data into it? Host, if not, allow data to enter the host.

The service managed by xinetd supports the TCP Wrappers in the /etc/xinetd.d directory. The service containing the libwrap.so module also supports TCP Wrappers. You can use the lld and grep commands to check whether the service contains libwrap.so. Module, such as ldd $(which sshd)| Grep libwrap

Configuration of /etc/hosts.allow

[root@loaclhost ~]# vim /etc/hosts.allowALL: 127.0.0.1 Allow all services of this machine rsync:192.168 .1.0/255.255.255.0 Indicates the specific IP network segment rsync allowed by the rsync service: 10.0.0.100 Indicates the specific IP address allowed by the rsync service. You can also put multiple addresses on one line, preferably on a separate line, more clearly 
 /Etc/hosts.deny configuration method
[root@loaclhost ~]# vim /etc/hosts.allowrsync:192.168.1.0/255.255.255.0 Indicates the specific IP network segment rejected by the rsync service. Note: Only use The subnet mask specifies the IP network segment. The CIDR cannot be used. rsync: 10.0.0.100 indicates the specific IP address rejected by the rsync service. 
 3. Netfilter Netfilter is the most commonly used firewall mechanism and can be configured through iptables
 3.1, the flow of datagrams into the host iptables will first analyze the data of the datagram, and then according to the pre-set rules one by one, if the datagram meets the current rules, enter the (ACCEPT) host or be discarded (DROP ), specifically ACCEPT or DROP depends on the specific rules Then, if the datagram does not conform to the current rule, the next rule is used. If all the rules are not met, the default policy (Policy) is executed: accept or discard. Note: The order of the rules is very important The whole process is as follows 3.2, iptables table and chain iptables contains multiple tables, the table contains multiple chains, the chain contains multiple rules The specific composition relationship is as follows iptables contains at least filter, nat, mangle three Forms. Filter: used to manage datagrams in and out of the machine, often used! The included chains are as follows: ● INPUT: Controls the datagram entering the host. ● OUTPUT: Controls the datagram sent to the host. ● FORWARD: Passes the datagram to the backend host. nat: Used for the source IP address and port and destination IP address and port. The conversion, related to the backend host, includes the following types: ●PREROUTING: The rule to be performed before routing judgment (DNAT/REDIRECT) ●POSTROUTING: the rule to be performed after routing judgment (SNAT/MASQUERADE) ● OUTPUT: Controls the datagram sent to the host. mangle: related to the datagram of a specific state
 3.3, the relationship between the chains between the tables 
 The figure shows three types of iptables control datagrams. Flow direction ● The destination of the datagram is the host (path A): After the route is judged, the destination of the datagram is the host, then the INPUT chain of the filter controls the flow of the datagram. ● The destination of the datagram is after the host. Host (Path B): Before the route analyzes the data, it finds that the destination of the datagram is the host behind the host, then the FORWARD chain of the filter and the POSTROUTING, PRE of the nat The ROUTING chain controls the flow of datagrams. ● The data packet is sent out through the host (path C): After the route is judged, the datagram is sent out, for example, the server responds to the client request or the server actively sends out the datagram. The OUTPUT chain of filter and the POSTROUTING chain of nat will control the flow of datagrams. Summary: If the firewall only protects the host itself, just set the INPUT chain and OUTPUT chain of the filter; if the firewall needs to protect the host in the LAN, then Need to set the FORWARD chain of the filter and the PREROUTING, POSTROUTING and OUTPUT chains of nat 
 3.4, iptables syntax 3.4.1, view the firewall iptables options Option -t: specify the table, such as nat, filter, the default is filter - L : Rules for displaying tables -n : Speed ​​up information display -v : Display detailed information, including total number of datagrams eg
[root@localhost /]# iptables -L -nChain INPUT (policy ACCEPT ) target prot opt ​​source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp Dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 ACCEPT tcp -- 0.0.0.0 /0 0.0.0.0/0 state NEW tcp dpt:8000 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8001 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp Dpt:8002 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8003 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:6666 ACCEPT tcp -- 0.0.0.0 /0 0.0.0.0/0 state NEW tcp dpt:8888 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9001 REJE CT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)target prot opt ​​source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with Icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt ​​source destination