Setting up a firewall on a Linux proxy server


In general, there are two strategies for implementing the firewall function of Linux. One is to first completely ban all input, output, and forwarding of data packets, and then gradually open various service functions according to the specific needs of users. This method is characterized by high security, but must fully consider the various service functions required by the user, without any omissions, and require the system administrator to clearly know which services and ports need to be opened to implement certain services and functions. The second way is to first open all input and output data packets by default, and then prohibit certain dangerous packets, IP spoofing packets, broadcast packets, ICMP service type attacks, etc.; for application layer services, like http, sendmail, pop3, ftp Etc., you can selectively start or install. Although this method is not safe, it is easier to configure. You can configure a basic firewall system without much knowledge of the ipchains command.

The proxy server I manage is IBM's Netfinity3000, which has RedHat Linux 6.2 and Squid-2.3 installed. There are two network cards, the external network card is eth0 (, and the internal network card is eth1 ( ), the client's IP address is Follow the second method to set up a firewall, the specific process is as follows:

After installing the system, log in as root, create a script called firewall.rules in the /etc/rc.d/directory with vi After the creation is complete, execute the command chmod 755 firewall.rules to make sure it is an executable file; then open the /etc/rc.d/rc.local file with vi and add a line /etc/rc.d/firewall.rules to ensure Each time the machine is started, it can execute the set firewall rules.

The contents of the firewall.rules file are slightly omitted.

If your machine has only one network card and dials up via Modem, then the network card connected to the internal network should be eth0, the IP address may be, the external interface is ppp0, you only need to put the firewall.rules file The eth0 in the content can be changed to ppp0. After setting the above firewall rules, you can disable all unnecessary services in /etc/inetd.conf, leaving only ftp and telnet; set /etc/hosts.allow and /etc/hosts.deny, only allow internal Some administrative users log in to the firewall. The above method runs successfully in the environment where the author is located, and solves the problem of Outlook Express sending and receiving emails.

Copyright © Windows knowledge All Rights Reserved