Sender: FUSE (fuse), letter area: Linux
Title: Linux FireWall Proxy Howto (Chinese) -by RGB
Sending station: BBS Shuimu Tsinghua Station (WED JUL 8 13:22:16 1998)
Sender: RGB (online neighbor [still waiting]), the letter area: UNIX_Palace
Title: Linux FireWall Proxy HOWTO (Chinese Version)
Send a letter: Laughing Book (Sat Jun 13 14:44:03 1998), transfer
Linux Firewall - Agent HOWTO
Introduction
This article comes from David Rudder (email:
FireWall-HOWTO, drig@execpc.com, I am recognized by him
I will improve it, I am grateful to him.
In recent years, firewall has greatly favored in Internet security. Like other things that have favored things,
I have a lot of misunderstandings. This HOWTO's article will introduce the concept and installation of the firewall, the proxy server. And firewall technology
Applications other than the security field.
1.1 reader feedback
Welcome various forms of feedback from readers. Please feel free to refer to any improper place !!! I am not interested, I am wrong. But I
Will be very happy to correct all you pointed out. I will try to reply to each E-Mail, but if it may be extended because of busy
Recourse late, please see it.
My Email address is:
Markg@Netplus.net
[Translator Note: There must be a lot of mistakes in the translation, which is caused by the translator. Welcome to the letter:
Netium@writeme.com]
1.2 declaration
I am not responsible for the results of any of this article. The original meaning of this document is to introduce firewalls and proxy services.
Working principle. I am not, I am not intended to be a security expert. I am just a love computer is very much in most people.
Bookworms. Write this document to help people familiarize with this theme, but don't intend to make it to give my life.
[Translator's statement: I will not be responsible for the results of any act based on this article. I am just a big four student.
In translation, only the firewall has the most promptly understanding, translation, this document is to let more people understand and have
Use Linux and firewalls, not intended to take additional responsibility]
1.3 copyright statement
Unless otherwise stated, the copyright of the Linux Howto file belongs to their respective authors. Linux howto files can be accused
The premise is that this copyright statement must be attached to any media. It also allows and encourages commercial distribution and
Copy, but must notify the author in advance.
All Linux Howto translations, the derived document must be included with this copyright statement. That is, you can't attach any fair document
Any restrictions. Some situations can be treated as exception, but must obtain Linux Howto Maintenance Organization
Recognition of Linux Howto Coordinator.
In short, we hope to promote its communication with as much as possible while retaining Linux HOWTO copyright, and is happy
See any communication plan about Linux HOWTO.
If you have any questions, please contact Mark Grennan <
Markg@Netplus.net>
[Translation] Translator is not legal professional (even if the laws of laws and students are :), unintentional entangled words
Factors, hereby incorporated in the original text, there is any entry, please refer to the original text!
Unless Otherwise Stated, Linux HOWTO Documents Are Copyright by THEIR
Respective Authors. Linux Howto Documents May Be Reproduces and Distributed
In whole or in part, in Any Medium Physical or Electronic, As long as this
Copyright Notice Is Retained on All Copies. Commercial Redistribution IS
Allowed and Encouraged; However, The Author Would Like To Be Notified OFANY Such Distributions.
All Translations, DeriVative Works, or aggregate Works Incorporating Any Linux
HOWTO Documents Must Be Covered Under this Copyright Notice. That IS, You May
NOT Produce a DeriVative Work from a HOWTO AND IMPOSE ADDIAL RESTRICTIONS
On ITS Distribution. Exceptions to these Rules May Be Grand Under Certain
Conditions; please contact the linux howto coordinator.
In Short, We wish to Promote Dissemination of this Information Through As Many, INFORMATION THROUGH AS
Channels As Possible. However, We do wish to return Copyright on the Howto
Documents, And Would Like to Be Notified of Any Plans to Redistribute The
HOWTOS.
If You Have Any Questions, please Contact Mark Grennan At <
Markg@Netplus.net>.
]
1.4 writing motive
Although in recent years, there is a very much discussion of the firewall in the news group in recent years, I still find it hard to find it.
About the establishment of a firewall. This article is very helpful, but it is not enough, this article passes
Improvements to the Fire Wallhowto of David Rudder, in order to make people master the building of the firewall
information.
1.5 unfinished part
* About setting the description of the client.
* Find a proxy server that supports UDP for Linux (translation: now solved)
1.6 in-depth reading
The Net-2 HowTo
The Ethernet Howto
The Multiple Ethernet Mini HowTo
Networking with linux
The PPP HOWTO
TCP / IP NetWork Administrator's Guide by O'Reilly and Associates
The Documentation for the Tis FireWall Toolkit
The Web node of Trusted Information System's (TIS) collected a large amount of information about firewalls:
http://www.tis.com/
I am working on a plan called "Secure Linux", collecting anything about establishing a safe on my site.
The information of the Linux system. If you are interested, you can contact me with E-Mail.
2. Preliminary firewall
The firewall comes from a term of the automotive industry, originally refers to the isolation engine and passengers on the car, which is used to start at the engine.
The passengers are protected when the fire, but does not hinder the driver's control.
The firewall in the computer domain refers to the protection of internal networks from external networks (entire Internet) illegal intrusion
device of.
From now on, we refer to "firewall computer" as "firewall", refers to it can access internal network at the same time.
Internet computer. Internal network is not allowed to access the Internet directly, and vice versa.
Internal network users want to access the Internet, you must first log in to the firewall to access.
The simplest firewall form is a system that links two networks. If you can * completely trust all your users *, you can simply install a Linux (compile the core * turn off * ip forwarding / gatewaying option switch)
And assign each user account, they can log in in and perform Telnet, FTP, read letters, or other
The Internet Access you allowed. According to this configuration, the only complete Internet connection is available in your intranet.
The force is a firewall. The rest of the internal network can even set the default route.
But here must emphasize: You can * completely trust all your users * ---- I don't recommend this solution.
2.1 Disadvantages of Firewall
"Filter type" firewall has largely limited the external access to internal network, because only those who have not been filtered out
Access can be accepted. For the agent firewall, external users can log in to the proxy server, and conduct their own network
Allowed access.
At the same time, with the continuous emergence of various new network customers and server types, you must find control visits before using them.
A new method for asking.
2.2 Type of firewall
There are two types:
1.IP or filter firewall - only allows the specified network transmission.
2. Agent Server ---- For you a proxy network.
2.2.1 IP Filter Firewall
IP filtration firewall operations in the network transfer package. It passes the source, destination address, port number and
Type of packets These information is controlled to control.
This type of firewall is quite safe, but lacks tracking recording means. It can effectively block illegal access to external users
Ask, but you can't give you any information about who is accessing your internal network and who passes the internal network.
INTERNET.
Filter firewall is a purely meaning filter. Using filtered firewall, you can't do only to access specific people
Your internal server ---- unless you see the same access to everyone (from the same IP: translation).
Linux provides support for packet filtering from core 1.3.x.
2.2.2 Proxy Server (Firewall)
The proxy server allows you to access the Internet through the firewall. One very image, you can first telnet to one
On the machine, then from there. Telnet other machines. The only difference is the proxy server automatic. When your client is accessible
When a firewall, the proxy server launches its own client and transfer data for you.
Just because all communication information is copied by the proxy server, it can record everything to do.
For this type of firewall, the most great thing is that they are absolutely safe. They will not let somewhere
People pass. Because this firewall does not have a direct IP route.
3. Installation of firewall
3.1 Hardware requirements
A 16M memory 486-6 / dx, and a computer with 500m Linux partition. There are two network cards, which are connected to us.
The proprietary local area network and a local area network we call "non-military zone (DMZ)". At the same time DMZ can pass a router
Even to the Internet.
This is a typical firewall computer configuration. You can also use a network card to add a PPP dial-up access to the archem.
The key is that the firewall must have two IP addresses.
There are already many family small LANs, usually there are two or three machines. At this time, you can consider all
MODEM is loaded into a Linux machine (probably a vintage 386) while connecting to the Internet. This way, in one person
When you have two modems, you may make the connection rate double!
:
-)
4. Firewall application software
4.1 Alternative package
If you only need a filter firewall, Linux plus basic network packs is enough.
There may be no packages with an IP FireWall Administration package in the Linux distribution package you have.
Ipfwadm in:
http://www.xos.nl/linux/ipfwadm/
If you want an agent firewall, you may have one of the following:
Socks
2.TIS Firewall Toolkit (FWTK)
4.2 Comparison of TIS Firewall Toolkit and SOCKS
Trusted Information
SYSTEM
Http://www.tis.com) There is a series of software that implements firewalls. Its function is basically similar to SOCKs.
But the design strategy is different. Socks is a program to complete all Internet transfer features. Tis provides a separate program for each function.
For further distinguis, we will explain to WWW and Telnet. For SOCKs, we only need to set a configuration file.
And the daemon, you can do www and telnet through the firewall --- and anything else you are not set
It is forbidden to access. But if you use TIS, you have to set your respective profiles and daemons for WWW and Telnet.
Other Internet access is still rejected until you do set it for it. If you don't have a specific
Function (such as Talk) Sets the daemon, you can use a "plug-in (plugin)" daemon, but it is not flexible.
It is not as simple as other tools configuration.
Socks is easy to compile and set, and it is very flexible; but if you want to regulate the management of internal users, TIS provides better
Safety. Both can absolutely prohibit external illegal access.
5. Prepare Linux
5.1 Compile the kernel
First, the Linux system is a 'clean' installation (I use the version is redHat3.0.3, all instances are based on this version.)
The less the components are assembled, the less the system's lattice, the less security vulnerability. So it is enough to install a minimum system.
Select a stable kernel. I use Linux 2.0.14 kernel, which is based on it.
The next step is to compile the kernel with the appropriate option. At this time you may need to refer to Kernel Howto, Ethernet
HOWTO, and NET-2 HOWTO.
Here is an option related to the network part involved in the 'make config'.
1. In 'Gernal setup'
1.Networking Support -> ON
2. In 'NetWorking Options'
1.NetworkFireWalls -> ON
2.TCP / IP Networking -> ON
3.ip forwarding / gatewaying -> OFF (unless you choose an IP filter firewall)
4.ip firewalling -> ON
5.ip packet loggin -> ON (not required, it is not a good idea)
6.ip masquerading -> OFF (I didn't involve this topic)
7.ip Accounting -> ON
8.ip tunneling -> OFF
9.ip aliaasing -> OFF
10.PC / TCP Compatibility Mode -> OFF
11.ip Reverse ARP OFF -> OFF
12.Drop Source Routed Frames -> ON
3. In 'NetWork Device Support'
1.Network Device Support -> ON
2. Dummy Net Driver Support -> ON
3. Ethernet (10 or 100Mbit) -> ON
4. Select your network interface card.
Now you can start recompilation, reconfigure the kernel and reboot, and Linux will display your NIC when you start.
Otherwise you have to go to study other HOWTO.
5.2 Configuring two network cards
If you have two network cards, how many cases you have to add an APPEND statement in /etc/lilo.conf to give them
Broken and I / O address.
This is my Lilo Append statement:
Append = "Ether = 12, 0x300, Eth0 Ether = 15, 0x340, Eth1"
5.3 Configuring the network address
This part is very meaningful. Now you face several options. Obviously we don't plan to allow Internet to intranet
There is no need to use a real IP address. Some IPs are specially retained
Use it. Because IP always gets better, and these reserved IPs cannot circulate online, just right for our needs.
Here, we use the retained IP: 192.168.2.xxx, and use it as an example
Your proxy firewall will be a member of the internal and external network, which can be transmitted between the two. 199.1.2.10 __________ 192.168.2.1
____ / | | / _______________
| / / / | / | FireWall | / | |
/ Internet / ---------------------- | Workstation / s |
/ _ // _ // _ // _ / | __________ | | _______________ |
Even if you use a filter firewall, you can still use these IPs, just ip masquerading.
At this time, the firewall will automatically convert the address into the "real" IP address that is circulated on the Internet.
The "true" IP must be assigned to the network card connected to the Internet, and assigns 192.168.2.1 to the one inside.
This will be internal to the proxy / gateway address, and finally allocate other internal networks to the 192.168.2.xxx range
Address (192.168.2.2 to 192.168.2.254)
I use redhat Linux, in order to make a network configuration at startup, I am
The / etc / sysconfig / network-scripts directory joined a 'IFCFG-Eth1'
File, this file is read by the system when starting, configures the network and routing tables.
My IFCFG-Eth1 file:
#! / bin / sh
# >>> Device Type: Ethernet
# >>> Variable Declarations:
Device = Eth1
Ipaddr = 192.168.2.1
Netmask = 255.255.255.0
NetWork = 192.168.2.0
Broadcast = 192.168.2.255
Gateway = 199.1.2.10
Onboot = YES
# >>> END VARIABLE
Declarations
This scripting language can also be used to implement the automatic connection of the MODEM to ISP, see the IPUP-PPP script.
If it is connected to an external network with an MODEM, the external IP is assigned by your ISP when the connection begins.
5.4 test
First check your ifconfig and route, for two network card systems, the result of ifconfig will be like this:
#ifconfig
Lo Link Encap: Local Loopback
INET AddR: 127.0.0.0 Bcast: 127.255.255.255 Mask: 255.0.0.0
Up Broadcast Loopback Running MTU: 3584 Metric: 1
RX Packets: 1620 Errors: 0 Dropped: 0 overruns: 0
TX Packets: 1620 Errors: 0 Dropped: 0 overruns: 0
Eth0 Link ENCAP: 10Mbps Ethernet Hwaddr 00:00: 09: 85: AC: 55
INET Addr: 199.1.2.10 Bcast: 199.1.255 Mask: 255.255.255.0
Up Broadcast Running Multicast MUNTU: 1500 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
Interrupt: 12 Base Address: 0x310
Eth1 Link Encap: 10Mbps Ethernet Hwaddr 00:00: 09: 80: 1e: D7
INET Addr: 192.168.2.1 Bcast: 192.168.2.255 Mask: 255.255.255.0up Broadcast Running Multicast MTU: 1500 metric: 1
RX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
TX Packets: 0 Errors: 0 Dropped: 0 overruns: 0
Interrupt: 15 Base Address: 0x350
Also, your Route table output should be:
#ROUTE -N
Kernel Routing Table
Destination Gateway Genmask Flags MSS Window Uses
199.1.0 * 255.255.255.0 U 1500 0 15 ETH0
192.168.2.0 * 255.255.255.0 U 1500 0 0 Eth1
127.0.0.0 * 255.0.0.0 U 3584 0 2 LO
DEFAULT 199.1.2.10 * UG 1500 0 72 Eth0
Here you should pay attention: 199.1.2.0 is a party in the firewall, while 192.168.2.0 is in the internal network.
Now I can try from the internal network ping internet, my choice is nic.ddn.mil, this should be a good goal,
In fact, it is not as reliable as I imagined. If you don't respond, try again that you have not connected to you.
If you still don't work, your PPP setting must have a problem, you have to look at Net-2howto.
Next, then from the internal network of the firewall, all the internal networks should be ping PING PING, if
Ping is not available ---- NET-2 HOWTO :)
Next, from the external address of the internal network ping firewall (note is not 192.168.2.xxx). If you can ping, explain you
No IP fowarding yet, if this is indeed from your original meaning, you can refer to some section of IP filtration in this article.
Now, try to use the firewall ping internet. Or use the previous use (le.neic.ddn.mil) [in Zhejiang University
Ping alpha.zju.edu.cn :) - translation], if IP forwarding is close, it should be ping, otherwise it should
It can be.
In the case of IP Farwarding, if your internal network uses "true" IP, it can't ping
Internet, but you can ping the external address of the firewall to check if the previous router is the package for your internal network.
Perform routing (may have your service provider to solve).
If you choose to keep IP, it is not routed, or you have selected IP mask, this test is still applicable.
Now, you have completed the basic settings.
5.5 firewall security
Open unnecessary services often make the firewall open their convenience for invaders. "Bad children" may invade and according to self
It needs to modify the setting of the firewall.
So first turn off all unused services.
The /etc/inetd.conf file controls the so-called "Super Server". It controls various services
The daemon starts the corresponding service when accessing the request arrives.
Be sure to close NetStat, Systat, TFTP, Bootp, Finger. To turn off a service, you only need to put the corresponding row
Use # 注释 即. After you change, send a SIG-HUP signal to the inetd process, ie the command "kill -hup
Telnet firewall's 15th port, this is the port of NetState, if you still get NetStat output, description
inetd does not read the modified settings correctly.
6. Install IP Filter Firewall (IPFWADM)
Before you begin, open the kernel's IP forwarding, start your system to forward all the data you sent, and then
With your routing table, it is unobstructed between the internal network and the external network, but we are doing to establish a firewall for any access.
In my system, I have established a foot for the firewall's Forwading and Accounting (Cable Account) strategy.
This document. In the script file of the /etc/rc.d, the system is automatically called by the system when startup.
By default, Linux kernel's IP forwarding feature is completely open (Gateway: Translation)
So your firewall script should reject all access from the regulations.
#
# Setup ip packet accounting and freewings
#
# Forwarding
#
# By Default Deny ALL SERVICES
Ipfwadm -f -p Deny
# Flush all commands
IPFWADM -F -F
Ipfwadm -i -f
Ipfwadm -o -f
Ok, now we have a super firewall, it refuses all access, of course, you still need some service, you can
Refer to the following example:
# Forward Email to your server
Ipfwadm -f -a accept -b -p TCP -S 0.0.0.0.0 1024: 65535 -D 192.1.2.10 25
# Forward Email Connections To Outside Email Servers
Ipfwadm -f -a accept -b -p TCP -S 196.1.2.10 25 -D 0.0.0.0/0 1024: 65535
# Forward Web Connections to your Web Server
/ sbin / ipfwadm -f -a accept -b -p tcp -s 0.0.0.0/0 1024: 65535 -D 196.1.2.11 80
# Forward Web Connections to Outside Web Server
/ sbin / ipfwadm -f -a accept -b -p tcp -s 196.1.2. * 80 -D 0.0.0.0 1024: 65535
# Forward DNS Traffic
/ sbin / ipfwadm -f -a accept -b -p udp -s 0.0.0.0/0 53 -D 196.1.2.0/24
You may be most interested in statistical traffic, the following scripts are used to count packages. You can be per-bill.
# Flush the current accounting rules
IPFWADM -A -F
# Accounting
/ SBIN / IPFWADM -A -F
/ sbin / ipfwadm -a out -i -s 196.1.2.0/24 -d 0.0.0.0/0
/ sbin / ipfwadm -a out -i -s 0.0.0.0 -d 196.1.2.0/24
/ sbin / ipfwadm -a in -I -S 196.1.2.0/24 -d 0.0.0.0/0
/ sbin / ipfwadm -a in -i -s 0.0.0.0 -d 196.1.2.0/24
If you decide that you can get it so long, you can go here. :-)
