Simple firewall construction and traffic statistics

xiaoxiao2021-03-06 56

Prizted

The firewall is basically in order to prevent others to access your network, and control the import and export of information on the network. On one end of the firewall connect the external network (via real IP), the other end connects the internal network (virtual IP), will you The internal network is separated from the external network. The firewall has become the only channel to enter your internal network. Therefore, any imported information must pass the firewall, and then determine whether it can be passed by the firewall, so there is more addition to the security. Week guarantee.

In addition, two heavyweight software is also introduced, and it is convenient to monitor network traffic and past network packets, which should also be one of the functions in the firewall.

2. Types of firewall

2.1 Packet filter

The function of the packet filter is to obtain each packet, filter according to the set rules, see if the delivery of the packet is allowed to transmit or reject the package, the packet filter exists in the network layer, and does not affect the packet data of. There is an IPchains kit in Redhat Linux (over 6.0 or more), which can be done via it to do packet filters.

2.2 Proxy Server (Proxy FireWalls)

The proxy server is often referred to as an application gateway, allowing indirect access to the interconnection through the firewall.

3. Start the firewall

Network location conversion NAT (NetWord Address Translation)

Since the development of the interconnection network is increasing, the number of computers is also increasing, resulting in the current IP lack of IP, an IP is hard to find, so solving the use of virtual IP, I believe that virtual IP will become a future trend. The network retains a specific IP supply to private virtual network, which will not find these three groups in real networks, these virtual IP addresses are: Class A 10.0.0.0 ~ 10.255.255.255

Class B 172.16.0.0 ~ 172.31.255.255

Class C 192.168.0.0 ~ 192.168.255.255

3.1 View the network card status

First of all, there must be two network card interfaces, an external (use of real IP) Eth1, one-piece (using virtual IP) Eth0, execute ifconfig -a

There will be a set value of the network card, see if two network cards have caught.

It should be noted here that it may be that the set value of ETH0 and Eth1 is the opposite, that is, the Eth0 corresponds to the true IP. Eth1 corresponds to the virtual IP, and the author's work, If this is the case, you must make changes, no, the network will not connect, will mention it below.

It is possible that when the system is powered on, it may be card that is on the screen, it may be like this, it is recommended to take off a network card to turn on, and then insert it. IFConfig -a | More

See the network card interface currently started, currently set up a full state

3.2 Profile / etc / sysconfig / network

If there is only one network card, we will directly install another network card, first switch the directory to / etc / sysconfig, there is a file network, its content is:

The forward_ipv4 is set to YES to start the IP camouflage conversion

3.3 / etc / sysconfig / net-scripts / ifcfg-eth1

Then go to the / etc / sysconfig / network-scripts directory, there will be the following files

At present, we have to pay attention to the two files of ifcfg-eth0, ifcfg-eth1. After you installed, it only has IFCFG-ETH0 file, and there is no IFCFG-Eth1. First copy the IFCFG-ETH0 into IFCFG-Eth1, execute the CP ifcfg-eth0 IFCFG-ETH1 where IFCFG-ETH1 is the setting file of the external network card, according to their own equipment, its content is: the first line designated network card The interface is: Eth1

The third line designated broadcast address is: 192.192.73.255

The fourth line designated IP address is: 192.192.73.35

The fifth line designated network mask is: 255.255.255.0

The sixth line designated network number is: 192.192.73.0

The seventh line specifies whether it will start the network card interface after booting

3.4 Profile / etc / sysconfig / network-scripts / ifcfg-eth0

In this case, we directly modify the setup IFCFG-ETH0, as an internal virtual network card interface, its content is: The interface of the first line specifies the network card is: eth0

The third line designated broadcast address is: 192.168.1.255

The fourth line designated IP address is: 192.168.1.1

The fifth line designated network mask is: 255.255.255.0

The sixth line designated network number is: 192.168.1.0

The seventh line specifies whether it will start the network card interface after booting

In this internal network we specified, the network number is 192.168.1.0, and the broadcast number is 192.168.1.255, the truly available virtual IP address is 192.168.1.1 ~ 192.168.1.254.

3.5 launch network card

Start the shutdown to execute ifconfig eth0 Upifconfig Eth0 Down Execute ifconfig eth1 Upifconfig Eth1 Down

3.6 Setting the routing table

When the above configuration file is set, after startup, we must build Route for these two networks.

Route's command is: Route Add -Net Network Address Netmask Device

Network segment real network segment Virtual network segment network 192.192.73.0192.168.1.0 network number (Network 255.255.25.0255.255.255.0 Gateway 192.192.73.1192.168.1.1

Treatment of the real network segment: route add -net 192.192.73.0 Netmask 255.255.255.0 GW 192.192.73.1

Treatment of virtual network segment routing: route add -net 192.168.1.0 Netmask 255.255.255.0 GW 192.168.1.1

Its routing table is: ROUTE-N

In this way, two network cards are installed, and Eth1 is as an external network card (real IP), and Eth0 is the internal network card (virtual IP).

3.7 test

As an internal network interface with Eth1, its virtual IP address is 192.168.1.0 ~ 192.168.1.255 because its first is the network number, the last is a broadcast number, so the virtual IP available is 192.168.0.1 ~ 192.168. . 255.254, we set the gateway to 192.168.0.1, the subnet mask is set to 255.255.255.0, and the IP between 192.168.1.2.192.168.1.254 is allocated to the internal machine, and the internal machine is You can communicate with each other ('ping'), but for connecting, you still need a step, that is, using a program, ipchains reach this. For the above problems, if you want to connect the internal machine to the external network, you can perform: / sbin / ipchains -a forward -s 192.168.0.0/24 - d 0.0.0.0-0 -j Masq / sbin / ipchains -P forward deny

The first command will use the package of the source 192.168.0.0 ~ 192.168.255.255 to send the camouflage package to the preset route to the external network.

The second command will set the Forward's preset policy to Deny.

You can add these two lines to the /etc/rc.d/rc.local file, making it executing each time.

For IPchains, will be described in more detail below.

4. Packing filter firewall ipchains

If you are using the new version of Linux, there will be ipchains' suits, you can use it directly to build a package filter firewall.

4.1 ipchains syntax

Its option, source IP, destination IP, Port can not be added, expressed as all.

Ipchains syntax:

ipchains command input / forward / output option source IP port destination IP port -j target

example:

Ipchains -a INPUT -P all -s 192.168.1.2 -d eef.Oit.edu.tw 23 -j deny

4.2 ipchains command

There are two forms to specify, full name or abbreviation.

--Add -a Add a new IPChains rule - Delete -d deletes the first IPChains rule, or an IPChains rule - ISERT -I inserts a new IPChains rule, and inserts the number in the specified rule, if the number is 1 is expressed as the first one. --Replace -R replaces the selected rule that replaces the numbers in the specified rules. --List -l lists the selected IPChains rules, if there is no rule being specified, all rules are listed. - Flush -f Clear an IPChains rule (for example, Input, Output, Forward) This is equivalent to deleting the efficacy of the rule. --Zero -z zero the packet and bit component counter in all rules can also be used to specify the -l, -list (list) option, will list the previous information, then listen to the zeroing information. - CHECK-C checks whether the package violates the rules set, this is a quite useful test, which is -S (source), -d (destination), -P (protocol), -i (interface) is even more necessary. --New -n produces a new user-defined. -Delete-chain -x deletes the rule defined by the user, and if no parameters specify, it will all definition rules. --Policy -P sets the target's policy, only Input, Forward, Output can be set. --Masquerade -m This option can be viewed to see the current camouflage connection (with -l option), or set the kernel camouflage parameters (-S option). --Set -s sets the camouflage stop time variable --Help -h lists descriptions describing the command syntax. 4.3 ipchains parameter options

There are two forms to specify, full name or abbreviation.

Use '!' To define the opposite meaning: exclamation mark '!' Has the meaning of 'not', there are many options to add '!' To use, said not to mean.

For example: -s! Localhost

Description: Indicates that the source address except for LocalHost can be.

--Proto -P [!] Protocol Agreement: You can use numbers or names, such as TCP, ICMP, UDP, and ALL.

example:

Ipchains -a INPUT -P TCP -S 192.168.1.3 -d EEF.Oit.edu.tw ftp -j deny

Note: The host of the source address 192.168.1.3 cannot do FTP's action request to EEF.OIT.EDU.TW.

--Source -s [!] Specifies the source address. - Source-port [!] Port specifies the source of the source. --Destination -d [!] Specifies the destination order --Destination-port [!] Specifies the port --ICMP-TYPE [!] type name of the destination, specify the ICMP type-Iterface -i [!] network interface name , LO, Eth0, Eth1. --Jump -j Specifies the target of the rule, if not specified, this rule is not useless. --Numeric -n cancels the DNS query, directly using IP --LOG -L, records information about IPChains, recorded in / var / log / messages. --Verbose -v complete mode, the interface name, rule, TOS camouflage, packet and bit yuan group count will also be listed, must be used with -l. [!] --Syn -y is only in accordance with the TCP package when SYN settings - TOS -T TYPE OF Service [!] --Version -v lists the version of Ipchains - bidirectional -b two-way mode 5. Package Filter firewall IPchains operating rules

5.1 ipchains rules

First list the rules of IPChains:

Ipchains -l

Divided into three parts:

Input Chains: Filter rules when entering, for example:

Ipchains -a INPUT -P TCP -S 192.168.1.3 -d 192.192.69.36 www -j deny

Prohibition of 192.168.1.3 Source address to access the destination 192.192.69.36

Forward Chain: Rules to perform IP camouflage, for example:

Ipchains -a forward -s 192.168.1.0/24 -d 0.0.0.0/24 -j Masq

Start IP camouflage from 192.168.1.0 ~ 255

Output Chain: Filter rules (opposite to INPUT), for example:

Ipchains -a output -p tcp -s 192.192.69.36 www -d 192.168.1.3 -j deny

The function is the same as INPUT, but the source address, the destination site is to be exchanged

Each set of rules must be in line with the situation and what to do (target).

For example, you may have to reject the package of ICMP from IP address 192.168.1.3, so our conditions must be an agreement ICMP and source address must be 192.168.1.3, the destination is 192.192.69.39, this host (If it is not set, it is all), the target is 'deny'.

The directive readings are:

Ipchains -a INPUT -P ICMP -S 192.168.1.3 -D 192.192.73.35 -J Reject

5.2 usage

Add new rules -A:

We increase the rules of (-a) 'input', to specify the source address of the package ('-S 192.168.1.3') and agreement ('-P ICMP'), and should be rejected ('-j deny') .

example:

Ipchains -a input -s 192.168.1.3 -p icmp -j deny

Note: Reject ICMP packet from 192.168.1.3.

Delete rule -D:

We have two ways to delete the IPChains rules. First we know that only one in 'Input' is (just above), the first, so we can use numbers to delete ..

example:

Ipchains -d INPUT 1 Description: Delete the first one in the Input rule.

The second method is similar to the increase in new rules, but it is increasing (-A) to replace it (-d), this method is very easy to use if you set a lot of rules, you don't have to Go to the number it is the first, as long as you do it, you must do it once.

example:

Ipchains -d input -s 192.168.1.3 -p icmp -j deny

5.3 Specification specification

Use '-P' to specify the specified species, where the agreement is divided into 'TCP' (user database protocol), 'ICNET Control Message Protocol or all (all), in this The agreement is not written without case, and can replace the agreement with a number.

There is a variety of agreements in / etc / protocols, where TCP is 6, UDP is 17, ICMP is 1.

TCP (Transfer Control Agreement): Located in the application layer, if the application (HTTP, FTP) requires high data transfer mode, you can use TCP and TCP to check whether the information is safe to arrive, otherwise you will re-send the information. In the TCP format, the data is used in the TCP format, and the IP protocols of the network layer are handled. Each data contains a check value. The recipient uses it to verify whether the information is damaged. If the received information is not damaged, it will be transferred back Confirm back; if the information is damaged, it will be discarded. TCP has reliability and connection. UDP (User Data Agreement): Located in the application layer, let the application directly use the package delivery service, such as the transfer service provided by IP, the UDP protocol does not check if the package is safe to destination, so the transmission speed is fast, but it is An unreliable, non-linear packet agreement. ICMP (Network Control Message Agreement): Part of the Internet layer, using the transmission of IP packets, sending its message, the message sent by ICMP executes whether the remote machine is operating ('ping'), data stream control ( When the packet is too fast, the destination host is transmitted back to an ICMP source suppression message to the sender, telling the data source to temporarily stop the package). ICMP does not have port, but it still has its option parameters to use to select the type of ICMP. We can specify the name of the ICMP or a numeric representative (you can perform ipchains -h ICMP to list detailed names).

5.4 Specify the port of UDP and TCP

Specifies the source and destination IP address -s -d:

There are three representations of sources (-s) and destination (-d):

Use the complete primary name name, for example: 'mouse.Oit.edu.tw' or 'localhost' uses IP address, for example: '192.192.73.36' Allow a range of IP address, for example: '192.192.73.0/24 Both 'or' 192.192.73.0/255.255.255.0 'is the same, which contains the IP address of 192.192.73.0 ~ 192.192.73.255.

The number of slash ('/') represents the IP address, '/ 24' is 255.255.255.0, '/ 32' is 255.255.255.255, which is more important to '0/0', refers to all.

example:

Ipchains -a input -s 0/0 -j deny

Description:

'0/0' indicates that all IP addresses that specify all sources will be rejected, you can also do not add '-s' parameters, but also specify all source IP addresses. 5.5 Important Specified Goals

In addition to the specified agreement, you can also divide the port to specify its port.

E.g:

Refers to the port 80 of all sources, where 80 can also use the name to represent 'WWW'

-P TCP -S 0.0.0.0.0 80

If you want TCP packets to reach any port 192.168.0.1, but except for WWW this PORT:

-p TCP -D 192.168.0.1! WWW

Among them, the location of the exclamation number '!' Can also be specified:

-p tcp -d! 192.168.0.1 WWW

It can also be expressed as the port of 192.168.0.1 and www:

-p tcp -d! 192.168.0.1! www

5.6 log record / var / log / message

If you have a '-L' option, your message about IPChains is recorded in the / var / log / message file, on the standard Linux system, the Kernel's output message is recorded via Klogd (Kernel Logging Daemon). The records are:

JUL 18 11:38:28 WWW kernel: packet log: Input Reject Eth0 Proto = 1 (1) (2) (3) (4) (5) (6) (7) (8) 192.168.1.3: 8 192.168. 1.1: 0 l = 60 s = 0x00 i = 7476 f = 0x0000 t = 32 (9) (10) (11) (12) (13) (14) (15)

Ipchains record:

(1) Date, time (2) Host Name (3) Use kernel to record (4) Indicate the rules used from IPChains to generate information (5): INPUT (6) Rule Target: Reject (7) Sealing package Network Card Interface: ETH0 (8) Agreement Number: 1 (ICMP), 6 (TCP), 17 (UDP) (9) Source IP location and Port (10) Destination IP address and Port (11) Package (12) TOS (TYPE OF Service) (13) IP ID (14) Data Section Offset

5.6 log record / var / log / message

Ipchains record:

Here you have to remind the user, don't log in with the remote end to use ipchains, because you will not care about it, you can't get home, sometimes in order to test the function of Telnet, I don't go in myself, and of course, it is awkward thing to go to the host.

Close all services:

Based on security, we have to close all the inside, the external window, and perform the following instructions will enter, output, and transfer the preset policy of the package to refuse. This step is best to put it in your last time. Go again, because if there is a rule of all Deny, the subsequent Accept rules will be replaced by previous Deny.

Ipchains -p INPUT Denyipchains -p Forward DenyiPchains -p Output Deny

Start the camouflage service of the virtual IP:

The internal virtual IP192.168.0.0-55 starts the IP package to transfer to the outside world, so that it can be connected anywhere in the outside world.

Ipchains -a forward -s 192.168.0.0/24 -d 0.0.0.0 - -j Masq

7. Use ipchains-save, ipchains-restore stored settings

Ipchains has two programs to store, reverse the rules we set, IPChains-save can store one or all rules, it is the instruction file, first read the setting file of Ipchains and store it into files, use You can join the -V parameter to list detailed actions.

example:

ipchains-save -v> filename

result:

To restore the IPChains rules, do the following instructions

8. Manage Ipchains using Webmin

After reading the above instructions, the reader will be very difficult, in fact, we can also manage ipchains firewalling in Webmin's Third Party Modules, as shown below:

Among them, five security levels of Disable, Low, Medium, High, Full, or can be customized, as shown below:

9. Traffic statistics

Http://www.ntop.org/ is a network usage monitoring software, in interactive mode, NTOP displays the usage status of the user on the user's terminal screen. In Web mode, NTOP will generate a web page that contains network usage status as web Server to the user's browser. There is NTOP-1.3.1.-2.I386.0.0.0.0.0, so use it under RedHat 7.0.

RPM-IVH NTOP-1.3.1.-2.I386.rpm

Install, then execute with NTOP -D, the execution web output screen is as follows: (I use 1.1 version)

10. Traffic Record

Snort (http://www.snort.org) is a brilliant network intrusion detection software (IDS). With the characteristics of performing instant traffic analysis and packet recordings, it provides an analysis of the agreement, and the searches of the package content. Can be used to detect a variety of different attacks and surveys (such as Buffer Overflows, Stealth Ports, CGI Attacks, SMB Probes, OS Fingerprinting Attempts, etc.). Snort uses flexible rule based language to set those traffic should be collected, those should be released. He also has an modular detection engine. Snort has an instant warning feature that warns the user using Syslog, user custom files, UNIX Socket, or the user who uses SamClient to send WinPopup messages to the Windows Client end. (From Linuxfab.cx) get Snort-1.6.3.tar.gz, then perform the following steps:

TAR XVFZ Snort-1.6.3.tar.gzcd Snort-1.6.3./configuremakemake install

This author only introduces the sealing record function, and other functions will be described later. Assume that we have to perform Snort -C -D -D -L / Home / HTTPD / HTML / SNORT on the homepage, as follows:

Of course, the author has some security management, otherwise all network confidential exposure, and because the file will be very fast, if you really want to record, please pay attention to the details of the control. Let's go deep into the bottom.

Did you see User? Next, it is of course PASS ....

11. Conclusion:

I saw that everyone should have a further understanding of Ipchains, Ipchains is very powerful, can't say it very thoroughly, some small places must take over readers to understand. From NTOP, Snort can see how the network is unsafe, but also hope that all network managers should pay more attention. (Hey! Set of my daughter said: said that others say herself: ~~)

Shi sail, worked at the Motor Department of Yadong University, Wu Guohua, served as the Sail Network Research Office E-mail: shie@digital.Oit.edu.twurl: http://mouse.Oit.edu.tw

转载请注明原文地址:https://www.9cbs.com/read-115084.html

9cbs

New Post(0)