Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Teach you self-built Linux firewall free     - Teach you how to protect the Linux operating system security tips (Linux)

- JavaScript is implemented without new keywords constructor (Programming)

- Linux Network Security Tips Share (Linux)

- To install Spotify in Ubuntu / Mint (Linux)

- Java static code analysis tool Infer (Programming)

- B-tree - ideas and implementation of C language code (Programming)

- Usage sed some of the parameters (Linux)

- CentOS 7 server environment to quickly build Linux (Server)

- Ubuntu 14.04 modify environment variables (Linux)

- Reported too many open files Linux solutions (Server)

- Fedora 22 install Adobe Flash Player (Linux)

- Learning MySQL data types (Database)

- Cryptography development environment to build under Ubuntu (Linux)

- Java Annotation Comments (Programming)

- Oracle 11g manually create a database (Database)

- Linux fixes fatal error: x264.h: No such file or directo (Linux)

- How to install PlayOnLinux 4.2.5 under Ubuntu 14.04 / 12.04 (Linux)

- libreadline.so.6: can not open shared object file problem solution (Linux)

- Ubuntu 15.04 installation MATE 1.10 (Linux)

- The difference between vi and nano (Linux)

  Teach you self-built Linux firewall free
  Add Date : 2017-08-31      
  Firewall (Firewall) is between a trusted network and untrusted network security barrier set up software or hardware products. Linux operating system kernel has packet filtering capabilities, the system administrator through the management tool set up a set of rules to create a Linux-based firewall is received by the host with this set of rules filtering, packet sent or forwarded from one host to another network adapter card package with a spare PC can replace expensive dedicated hardware firewall, for some small and medium enterprises or departmental users, it is worth considering.

First, the type and design strategy firewall

When constructing a firewall, often used in two ways, packet filtering and application proxy services. Packet filtering refers to the establishment of packet filtering rules, according to these rules and IP header information in the network layer is determined to allow or deny packets through. Such as allow or prohibit the use of FTP, but can not prohibit FTP specific features (such as Get and Put in use). Application proxy services is located between the internal network and external networks to complete the proxy server, and it works at the application layer, proxy user into a variety of network service requests, such as FTP and Telenet and the like.

At present, the firewall generally use the dual-host (Dual-homedFirewall), shielding the host (ScreenedHostFirewall) and screened subnet (ScreenedSubnetFirewall) and other structures. Dual host structure refers to the computer to assume the task of agency services at least two network interface connected between the internal network and external networks. Shielding the host structure refers to the computer to assume the task of agency services only connected to the internal network host. Screened subnet structure is to add an extra layer of security to shield the host structure, which added a perimeter network, and further separates the internal network and external networks.

Firewall rules used to define which data packets or service allows / refuses to pass, there are two kinds of strategies. One is the first to allow any access, and then specify refused entry; the other one is the first to reject any access, and then specify the allowed items. In general, we will use the first two kinds of strategies. Because from a logical point of view, specify a smaller list of rules in the firewall allowed through the firewall, specify a larger list than the allowed through the firewall easier to implement. From the point of view of the development of Internet, new protocols and services continue to appear, before allowing these protocols and services through the firewall, there is time to review the security vulnerabilities.

Second, based on the realization of the Linux operating system firewall

Linux-based operating system is the use of packet filtering firewall core has the ability to establish a packet filtering firewall and packet filtering and proxy firewall service a composite. Now, let's look at how to configure Linux firewall based on one pair of host.

Since the Linux kernel is different, set up to provide packet filtering approach is not the same. IpFwadm is based on Unix in ipfw, it applies only to Linux2.0.36 previous kernel; for Linux2.2 later, using Ipchains. Very similar IpFwadm and Ipchains work. They are configured with four chains, there are three defined when the Linux kernel starts, namely: access chain (InputChains), out chain (OutputChains) and forwarding chain (ForwardChains), in addition to a user-defined chain (UserDefinedChains). Into the chain defines the packet filtering rules inflow, outflow out chain defines the packet filtering rules, forward packet forwarding chain defines filtering rules.

These chains decide how to handle incoming and outgoing IP packets, that is, when a packet coming from the card, the kernel determines the flow of this package with the rules for entering the chain; if allowed by the kernel decide where to send the packet next if it is sent to another machine, the kernel determines the flow of this package with the rules of forwarding chain; when a packet is sent out before the kernel with out chain rule determines the flow of this package. A particular chain of each rule are used to determine the IP packet, if the packet does not match the first rule, then then check the next rule, when find a match rules, rule specifies the target package , the target may be user-defined chain or Accept, Deny, Reject, Return, Masq and Redirect, etc.

Wherein, Accept means allow; Deny means the refusal; Reject refers to the received packet discard, but to the sender generates an ICMP reply; Return refers to the stopping rule processing, skip chain tail; Masq refers to user-defined chain and chain out from the role of the kernel camouflage this package; Redirect only to enter a user-defined chain and chain work, so that the core of this reform package to the local port. In order to Masq and Redirect work, compile the kernel, we can be selected Config_IP_Masquerading and Config_IP_Transparent_Proxy.

Suppose you have a LAN to connect to the Internet, a public network address is Intranet private address according to RFC1597 provisions, the use of class C address ~ For convenience of explanation, our three computers as an example. In fact, it can be expanded up to 254 computers.

Specific steps are as follows.

1, is mounted on a Linux host two network cards ech0 and ech1, to assign an internal network card ech0 private address, to connect Intranet; ech1 NIC assigned to a public network address, for connected to the Internet.

2, enter the settings on the Linux host, forward, to go out and user-defined chain. In this paper, first allow all the information can flow in and out, but also allow forwarding packets, but the ban some dangerous package, such as IP spoofing packets, broadcast packets, and ICMP packet type of service attacks such as setting strategy.

Specific settings are as follows.

(1) flush all the rules
(2) Set the initial rules
(3) setting rules for local loop

Package between local process allows.

(4) prohibit IP spoofing
(5) prohibits the broadcast packets
(6) Setting ech0 forwarding rules
(7) set up forwarding rules ech1

Save the rule to /etc/rc.firewallrules file, give the file execute permissions with chmod, add the line /etc/rc.firewallrules in /etc/rc.d.rc.local, so that when the system starts, these rules it goes into effect.

By the above configuration of each step, we can build a Linux-based operating system packet filtering firewall. It has a simple configuration, strong safety and resilience, etc., in particular, can take advantage of idle computers and free Linux operating system to achieve minimum investment, Construction output maximization firewall. In addition, if coupled with a proxy server, such as the TIS Firewall Toolkit free package packet filtering on the basis of, but also to build a more secure compound firewall.
- Common data structures and functions of Linux process scheduling (Programming)
- Analysis examples: Intrusion Response Linux platform Case (Linux)
- Flask installation environment (Linux)
- Ubuntu installed Komodo editor by PPA (Linux)
- Tomcat installation under Linux (Server)
- The difference between statement and preparedStatement of the jdbc (Database)
- Create the best introductory tutorial REST API (Linux)
- VMware virtual machine operating system log Error in the RPC receive loop resolve (Linux)
- CentOS 6.4 install and configure Squid Proxy Server (Linux)
- iptraf: A Practical TCP / UDP network monitoring tools (Linux)
- Based AutoYaST automated installation of SUSE practice (Linux)
- RHEL6.5 install the latest version of Vim and increase support for the Python2.7.5 (Linux)
- Linux log management make the system more secure (Linux)
- Xmanager Remote Desktop connection CentOS (Linux)
- Nodejs complete installation instructions for Express (Linux)
- Linux NIC configuration (Linux)
- Simple RPM package production (Linux)
- System-level alias vs Oracle ADR functionality (Database)
- Let Mac OS X dedicated high-speed mobile hard disk can also be read in Linux (Linux)
- Use Ansible installation NGINX and NGINX Plus (Server)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.