How to build firewalls and IP camouflages with IPchains on Redhat 6.1
Release Date: 1999-10-15
content:
Source: China Linux Forum
Author: Wu Ah Ting
Introduction:
Linux 2.2 kernel instead of 2.0 kernel with ipchains
IPFWADM, in the version of Redhat 6.0 / 6.1, IPFWADM can no longer use
. This article is intended to show how to set a basic firewall system and IP
Camouflage, allowing internal users to use IP camouflage Internet, Ipchains
IpfwadM syntax changes very large, as you want to learn more commands and syntax,
You can refer to a netizen to translate Chinese ipchains howto
(http://www.hncd.gov.cn/linux). You can also run ipchains
--help
Get help. In addition, the settings of this paper mainly target specialline users
Firewalls and IP camouflage settings are also available for dialing users.
Idea:
In general, there are two strategies to realize Linux firewall function.
It is first prohibited all input / output / forwarding packages, and then according to the needs
To gradually open the required services, this way is the safest, but
It is necessary to fully consider the service functions you have to use, you can't have any
What is missing, if you can't clearly know some of the services and features you want to achieve
I know which services and ports should be opened, it will be more troublesome;
The second way is to open all the input / output packages by default,
Forwarding the package, do not have to open, because the internal network segment uses the retention address, it cannot be straight
Pick up data with the Internet, we are transparent by using IP camouflage
Exchange data is exchanged, then disable some dangerous bags, IP spoof
Package, broadcast package, ICMP service type attack, etc., for application layer service icons
HTTP, Sendmail, POP3, FTP, etc., if you don't plan to provide some services,
Don't start it, or don't install it, this way is not
There is a more secure, but it is more convenient, easy to configure, user
Don't know too much about how to open a service (such as FTP) needs
The line of ipchains command details can configure a relatively secure firewall
system.
This article adopts a second way to configure a basic firewall system, my
The internal network segment uses 192.168.11.0, and eth0 is the external network segment network card.
The mouth, Eth1 is the internal network segment network card interface.
achieve:
1. After installing the system, create a one in the /etc/rc.d/ directory
Script is ipchains.rules (execution #CHMOD U X
ipchains.rules Make sure to be executable) and then add one
Row /etc/rc.d/ipchains.rules to /etc/rc.d/rc.local
In order to ensure that the various prevention sets will be run after each machine is restarted
Firewall rules.
The following is the content:
----------------------------
#! / bin / sh
Echo "Starting Ipchains FireWall Rules ..."
# Refresh All FireWall Rules
/ sbin / ipchains -f forward
/ sbin / ipchains -f input
/ sbin / ipchains -f output
# setup default firewall rules
/ sbin / ipchains -p forward deny
/ sbin / ipchains -p Input Accept
/ sbin / ipchains -p output accept
External_Interface = a.b.c.d # setup loopback interface
/ sbin / ipchains -a input -j accept -i lo
/ sbin / ipchains -a output -j accept -i lo
# disabling ip spoofing
/ sbin / ipchains -a input -j deny -i eth0 -s
192.168.0.0/16
/ sbin / ipchains -a input -j deny -i eth0 -d
192.168.0.0/16
/ sbin / ipchains -a output -j deny -i eth0 -s
192.168.0.0/16
/ sbin / ipchains -a output -j deny -i eth0 -d
192.168.0.0/16
/ sbin / ipchains -a input -j deny -i eth0 -s
$ extel_interface / 32
/ sbin / ipchains -a output -j deny -i eth0 -d
$ extel_interface / 32
#refuse packets claiming to be to or from the
Loopback Interface
/ sbin / ipchains -a input -j deny -i eth0 -s
127.0.0.0/8
/ sbin / ipchains -a input -j deny -i eth0 -d
127.0.0.0/8
/ sbin / ipchains -a output -j deny -i eth0 -s
127.0.0.0/8
/ sbin / ipchains -a output -j deny -i eth0 -d
127.0.0.0/8
#Refuse Broadcast Address Source Packets
/ sbin / ipchains -a input -j deny -i eth0 -s
255.255.255.255
/ sbin / ipchains -a input -j deny -i eth0 -d
0.0.0.0
#refuse multicast / Anycast / Broadcast Address
/ sbin / ipchains -a input -j deny -i eth0 -s
240.0.0.0/3
#forwarding all in TransNal Traffic
/ sbin / ipchains -a forward -j accept -i eth1 -s
192.168.11.0/24 -d 192.168.11.0/24
#setup ip masquerading rules
Echo "1"> / proc / sys / net / ipv4 / ip_forward
Note: You can also set up the / etc / sysconfig / network file
Move IP forwarding, change that line
Forward_IPv4 = true, this is not necessary to set the above
Echo line.
# Add modules for FTP, Cuseeme, IRC, Real Audio,
ETC ...
/ sbin / modprobe ip_masq_ftp
/ SBIN / MODPROBE IP_MASQ_QUAKE
/ sbin / modprobe ip_masq_irc
/ sbin / modprobe ip_masq_user
/ sbin / modprobe ip_masq_raudio
#starting ip masquerading
/ sbin / ipchains -a forward -j masq -i eth0 -s
192.168.11.0/24
Note: If you just want some users to make IP camouflage, you can also
Individual settings, such as
/ sbin / ipchains -a forward -j masq -i eth0 -s
192.168.11.3/32
/ sbin / ipchains -a forward -j masq -i eth0 -s
192.168.11.23/32
---------------------------------
Other firewall safety matters:
The above setting launched a basic firewall system, forbidden IP bullying
Deceive, broadcaster, but for a complete firewall system, still pay
Message:
1. Set /etc/inetd.conf, prohibit all unwanted services, icons
All R commands, finger, talk, etc., generally, only FTP,
Telnet service facilitates internal maintenance purposes
/etc/hosts.allow and /etc/hosts.deny, only some of them
Manage users can Telnet / FTP to the firewall, of course, safer
The way is to ban all Inetd services, install FTP, Telnet, installation
SSH, use SSH / SCP instead of Telnet and FTP.
2. Enable Shadow Password, simple two commands
Is PWCONV (enabled shadow password) and PWUNCONV (recovery original state),
The version of RedHat 6 has been launched when installed by default.
Password, this makes the remote user get the root password more difficult because
Shadow password uses / etc / shadow storage password file, this file is only
Readable by root.
3. Run the NTSYSV check to see if it is launched the back-end program that is not required.
Remember: Just start the background procedure you want to provide, the biggest
Extremely ensuring safety.
4. Create as few user accounts, continuously upgrading the softness of security vulnerabilities
Package.