Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Use Linux built-in firewall to improve network access control     - OpenDJ installed on RHEL6 (Linux)

- Linux server dual-card dual-IP and single-card dual-IP configuration method (ReHat / CentOS) (Server)

- Ganglia Python plug-in the process of writing notes (Linux)

- Linux Network Programming - raw socket Example: sending a UDP packet (Programming)

- Using Oracle for Oracle GoldenGate to achieve a one-way data synchronization (Database)

- How to view the Linux graphics hardware information (Linux)

- Solaris 10 nagios monitoring system (Linux)

- 4 lvcreate example commonly used commands (Linux)

- Install Java 8 on Ubuntu using PPA (Linux)

- Source Analysis: Java object memory allocation (Programming)

- Linux installed and tested the deployment of Kafka distributed cluster (Server)

- KVM virtualization of nested virtualization (Linux)

- How to install Linux Go Language (Linux)

- Killall five options you might not know (Linux)

- Servlet life cycle code examples (Programming)

- SSH keys using login and password to log prohibited practice (Linux)

- CentOS7 installation configuration Redis-3.0.0 (Database)

- Simple configuration shell scripts virtual machine environment experiment (Linux)

- Through eight skills to let you become a super Linux end-user (Linux)

- Linux Log Clear (Linux)

  Use Linux built-in firewall to improve network access control
  Add Date : 2017-08-31      
  Linux operating system security is well known, so now many companies servers, such as file server, WEB server, etc., we have adopted the Linux operating system. The author of the enterprises, including the Oracle database server, file backup server, mail server, WEB server are also using Linux server systems. Today, I will talk about Linux is to protect the security of the server through which technologies to enhance network access control.

Linux built-in firewall is mainly to improve network management and control functions by means of packet filtering to enhance security and network servers.

One, Linux firewall works

We imagine a Linux host ships which packets related work will make. In fact, we can put a Linux image likened to a subway station. Usually there is a subway station three hole, one is imported, subway passengers need to do, we must go through this in order to import the subway, and must be based on legitimate tickets. The second is the exit, if the passengers to leave the subway station, then the station must also be relying on tickets. The third is a transit port, that is to say, in the subway transfer station, you can direct another one aisle to go online.

And a Linux host also has three hole. One is imported (INPUT), any packets that host needs to be able to enter through the interface application space Linux System. The second is the exit (OUTPUT), any packet sent from the application must go through this outlet, to be able to enter into the kernel Linux system, it sends the data out. The third is the forwarding interface (FORWARD), mainly used for forwarding data packets.

On Linux hosts to achieve packet filtering, in fact, is in the three hole add packet filters. It's like setting, "MAN" on each hole. When the "passenger" in the hands of the ticket is legitimate, "MAN" allows it to pass; when this vote is not permitted, the "MAN" will reject it through this hole. In this way, we can be very good network administrators manage the network transfer data packets, and for anti-ask permission some servers were reasonable and effective control.

If we have time in order to prevent DDOS attacks, we can set all the host refused to ICMP protocol. The case, any host any attempt to ping a Linux computer on the LAN, then any host within the LAN will not be responding. And if the hacker put hosts on the LAN as chickens in an attempt to achieve through them when DOS attacks, because we filter the ICMP protocol outbound interfaces (OUTPUT Interface), therefore, the PING commands do not pass to the LAN go. If this is so, we can protect the network security from the roots.

Two, Linux firewall configuration

Linux firewall is basically achieved by a specific command iptables configuration. As we have now in order to prevent the machine on the LAN using the ping command. This is a good method of preventing DDOS attacks. DDOS attack should be to achieve it, you'll first need to find within the LAN broilers, broiler allow multiple simultaneous use PING command PING server, until the server because resources depletion when machine. Now if all Linux hosts PING command to disable the swap, then it can maximize DDOS attack prevention and control of hazards.

Iptables -A OUTPUT -P icmp -j DROP

Through this command, you can disable the machine PING command.

Command iptables is the firewall packet filtering policy configuration commands. Firewall filtering rules, that is, by this simple command to achieve. -A Parameter indicates back to add a filter ;-P represents a protocol type; -J represents our goal. Meaning above this command is in the export Linux host, together with a filter statement, when the packet protocol type is ICMP, then are discarded.

However, there is a characteristic ICMP. We generally PING a host, then the host for this, the first thing it needs to stop by the interface, the packet is passed to the upper layer; and then have to use the outbound interface to send out the response message. If any one interface fails, if only to receive information but did not respond, then the ping of the main square, the destination is not on the show is great information.

The interface has any one or more of the commands that we are in the maquila restrictions statement, we said above, can be a total of three interfaces on Linux hosts, including stop imports, outbound interface forwarding interfaces, including packet filtering conditions to achieve firewall management control. In the following example, I will give you an example of a WEB server, take a look at how to manage WEB server Linux host-based firewall, improve its security.

Third, the Linux firewall configuration examples

How do we use the Linux operating system, built-in firewall to enhance network management and control functions it? Specific, we can be divided into three steps. First, the first to open a back door on a Linux server, the backdoor is dedicated to our network administrators to manage server used. Second, all the inbound, outbound, forward station interface are closed at this time, above us only through the open back door, administrators can remotely connect to the server, any attempt to channel can not be connected to this host. Third, the use according to our server, the number of open interfaces need to use out.

Here the author to a WEB server, for example, talk about how to set up a firewall, to be able to improve the security of this server, and, at the same time improving safety, it does not affect our network administrator access control.

The first step: open the back door

Network administrators typically manage Linux operating systems through SSH. Therefore, we first need to open a back door that allows network administrators to log on to the server remotely via SSH, these servers perform necessary maintenance and management.

For this purpose, we can use two statements to achieve. Here we assume that we WEB server IP address is

Iptables -A INPUT -P tcp -d -dport 22 -j ACCEPT

Iptables -A OUTPUT -P tcp -S -dport 22 -j ACCEPT

Means the first statement is on the inbound interface that allows a network administrator using TCP port 22, access to the host. General SSH model uses port 22 and TCP protocol. The role of this statement is to allow the network administrator can connect to the WEB server upswing. However, this is not enough if we want to remotely manage WEB server, then you need to interact with each other functions. In other words, we need to respond to the WEB server can give us some news. At this time, we also need to configure the second statement.

Awareness second statement above is to allow WEB server via TCP protocol and port 22 to send some data out. If this is so, we are subject to some network administrators can respond to information WEB server.

Step two: Close all interfaces

Iptables -P INPUT -j DROP

Iptables -P OUTPUT -j DROP

Iptables -P FORWARD -j DROP

The role of these three commands is put on three interfaces WEB server closed. However, at this time because we are the first step to open a back door, so, after the network administrator can still log in to the server via SSH this way up, access it remotely. Using these commands after the close of each interface, we can not access the server via HTTP, FTP and other means.

The third step: Use Analysis Server and add the permit conditions

After the close of each interface is not, we need to add some of the necessary conditions to allow certain types of packets. Otherwise, other people can not access WEB server through the network, it is not no good yet?

So, the next task is, we need to analyze the type of server. We are now configured is a WEB server and WEB server is generally accessed through HTTP and port 80. By default, the TCP protocol is used with 80 ports. Therefore, we only need to import and export, to allow the protocol is TCP, the port number is 80 packets through, we can achieve our goal.

Iptables -A INPUT -P tcp -d -dport 80 -j ACCEPT

Iptables -A OUTPUT -P tcp -S -dport 80 -j ACCEPT

With the above configuration, we can achieve our needs

Fourth, local Linux firewall configuration Note

In use Linux firewall to manage the enterprise network when I give you some advice.

First, according to the security and control design principle of least privilege, when we design the firewall, it is necessary first of all interfaces to disable all out. Then, depending on the type of server, add some statement allows the packet through. So the purpose is to protect the server allows only specific protocol and data packets. To do so, then we can maximize the protection of the security server and enterprise network. As above, so the server configuration, you can not access the server using the FTP protocol, also put an end to the illegal visitors attempt to use FTP WEB server vulnerability to attack. It also prohibits the ICMP protocol, so then it can effectively prevent DDOS attacks, and so on.

Second, sometimes have problems with application firewalls can not collaborative. Such as the deployment of an ERP server on a Linux server, if at the same time open up the firewall, then it may not be connected to the server. In fact, this is not a firewall or ERP server generates any conflict, but we do not have it configured firewall. Under normal circumstances, I propose the first firewall disable the swap, the first ERP server configuration is successful, other users can connect after the server, and then enable the firewall. Enabled the firewall, we need to be clear, the ERP server in the end what protocol and port used to transfer data packets, and then configure the firewall. Most of the time, because we are not familiar with one of the servers in the end which protocols and ports in use, that has caused the error client connections.
- Python implementation Bursa transition model (Programming)
- Share Practical Tutorial GitHub (Linux)
- Use web2py + uWSGI + Nginx Web server built on Linux (Server)
- Eclipse installs support for Java 8 (Linux)
- CentOS network configuration 7, and set the host name and IP-bound problems (Linux)
- Based Docker build stand-alone high-availability cluster Hadoop2.7.1 Spark1.7 (Server)
- Automate deployment of Docker-based Rails applications (Server)
- Compile and install LNMP under CentOS 6.5 (Server)
- CentOS 6.5 upgrade to CentOS 7 (Linux)
- MongoDB 3.2 to upgrade from 3.0.7 (Database)
- Linux crontab command format example (Linux)
- Java string concatenation techniques (StringBuilder tips) (Programming)
- Install mono offline on CentOS (Server)
- OpenVPN offsite interconnecting room availability and load balancing solution (Server)
- CentOS iptables firewall configuration (Linux)
- Linux system started to learn: Teaches you install Fedora 22 on VirtualBox (Linux)
- ntop monitoring software configuration and installation (Linux)
- Ubuntu 12.04 installed OpenCV 2.3.1, binary image (Linux)
- Pydev installed and configured on the Eclipse (Linux)
- OpenJDK7 source compiler installation on CentOS 6.5 (Linux)
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.