How to build firewalls and IP camouflages with IPchains on Redhat 6.1

zhaozj2021-02-11  246

How to build firewalls and IP camouflages with IPchains on Redhat 6.1

Release Date: 1999-10-15

content:

Source: China Linux Forum

Author: Wu Ah Ting

Introduction:

Linux 2.2 kernel instead of 2.0 kernel with ipchains

IPFWADM, in the version of Redhat 6.0 / 6.1, IPFWADM can no longer use

. This article is intended to show how to set a basic firewall system and IP

Camouflage, allowing internal users to use IP camouflage Internet, Ipchains

IpfwadM syntax changes very large, as you want to learn more commands and syntax,

You can refer to a netizen to translate Chinese ipchains howto

(http://www.hncd.gov.cn/linux). You can also run ipchains

--help

Get help. In addition, the settings of this paper mainly target specialline users

Firewalls and IP camouflage settings are also available for dialing users.

Idea:

In general, there are two strategies to realize Linux firewall function.

It is first prohibited all input / output / forwarding packages, and then according to the needs

To gradually open the required services, this way is the safest, but

It is necessary to fully consider the service functions you have to use, you can't have any

What is missing, if you can't clearly know some of the services and features you want to achieve

I know which services and ports should be opened, it will be more troublesome;

The second way is to open all the input / output packages by default,

Forwarding the package, do not have to open, because the internal network segment uses the retention address, it cannot be straight

Pick up data with the Internet, we are transparent by using IP camouflage

Exchange data is exchanged, then disable some dangerous bags, IP spoof

Package, broadcast package, ICMP service type attack, etc., for application layer service icons

HTTP, Sendmail, POP3, FTP, etc., if you don't plan to provide some services,

Don't start it, or don't install it, this way is not

There is a more secure, but it is more convenient, easy to configure, user

Don't know too much about how to open a service (such as FTP) needs

The line of ipchains command details can configure a relatively secure firewall

system.

This article adopts a second way to configure a basic firewall system, my

The internal network segment uses 192.168.11.0, and eth0 is the external network segment network card.

The mouth, Eth1 is the internal network segment network card interface.

achieve:

1. After installing the system, create a one in the /etc/rc.d/ directory

Script is ipchains.rules (execution #CHMOD U X

ipchains.rules Make sure to be executable) and then add one

Row /etc/rc.d/ipchains.rules to /etc/rc.d/rc.local

In order to ensure that the various prevention sets will be run after each machine is restarted

Firewall rules.

The following is the content:

----------------------------

#! / bin / sh

Echo "Starting Ipchains FireWall Rules ..."

# Refresh All FireWall Rules

/ sbin / ipchains -f forward

/ sbin / ipchains -f input

/ sbin / ipchains -f output

# setup default firewall rules

/ sbin / ipchains -p forward deny

/ sbin / ipchains -p Input Accept

/ sbin / ipchains -p output accept

External_Interface = a.b.c.d # setup loopback interface

/ sbin / ipchains -a input -j accept -i lo

/ sbin / ipchains -a output -j accept -i lo

# disabling ip spoofing

/ sbin / ipchains -a input -j deny -i eth0 -s

192.168.0.0/16

/ sbin / ipchains -a input -j deny -i eth0 -d

192.168.0.0/16

/ sbin / ipchains -a output -j deny -i eth0 -s

192.168.0.0/16

/ sbin / ipchains -a output -j deny -i eth0 -d

192.168.0.0/16

/ sbin / ipchains -a input -j deny -i eth0 -s

$ extel_interface / 32

/ sbin / ipchains -a output -j deny -i eth0 -d

$ extel_interface / 32

#refuse packets claiming to be to or from the

Loopback Interface

/ sbin / ipchains -a input -j deny -i eth0 -s

127.0.0.0/8

/ sbin / ipchains -a input -j deny -i eth0 -d

127.0.0.0/8

/ sbin / ipchains -a output -j deny -i eth0 -s

127.0.0.0/8

/ sbin / ipchains -a output -j deny -i eth0 -d

127.0.0.0/8

#Refuse Broadcast Address Source Packets

/ sbin / ipchains -a input -j deny -i eth0 -s

255.255.255.255

/ sbin / ipchains -a input -j deny -i eth0 -d

0.0.0.0

#refuse multicast / Anycast / Broadcast Address

/ sbin / ipchains -a input -j deny -i eth0 -s

240.0.0.0/3

#forwarding all in TransNal Traffic

/ sbin / ipchains -a forward -j accept -i eth1 -s

192.168.11.0/24 -d 192.168.11.0/24

#setup ip masquerading rules

Echo "1"> / proc / sys / net / ipv4 / ip_forward

Note: You can also set up the / etc / sysconfig / network file

Move IP forwarding, change that line

Forward_IPv4 = true, this is not necessary to set the above

Echo line.

# Add modules for FTP, Cuseeme, IRC, Real Audio,

ETC ...

/ sbin / modprobe ip_masq_ftp

/ SBIN / MODPROBE IP_MASQ_QUAKE

/ sbin / modprobe ip_masq_irc

/ sbin / modprobe ip_masq_user

/ sbin / modprobe ip_masq_raudio

#starting ip masquerading

/ sbin / ipchains -a forward -j masq -i eth0 -s

192.168.11.0/24

Note: If you just want some users to make IP camouflage, you can also

Individual settings, such as

/ sbin / ipchains -a forward -j masq -i eth0 -s

192.168.11.3/32

/ sbin / ipchains -a forward -j masq -i eth0 -s

192.168.11.23/32

---------------------------------

Other firewall safety matters:

The above setting launched a basic firewall system, forbidden IP bullying

Deceive, broadcaster, but for a complete firewall system, still pay

Message:

1. Set /etc/inetd.conf, prohibit all unwanted services, icons

All R commands, finger, talk, etc., generally, only FTP,

Telnet service facilitates internal maintenance purposes

/etc/hosts.allow and /etc/hosts.deny, only some of them

Manage users can Telnet / FTP to the firewall, of course, safer

The way is to ban all Inetd services, install FTP, Telnet, installation

SSH, use SSH / SCP instead of Telnet and FTP.

2. Enable Shadow Password, simple two commands

Is PWCONV (enabled shadow password) and PWUNCONV (recovery original state),

The version of RedHat 6 has been launched when installed by default.

Password, this makes the remote user get the root password more difficult because

Shadow password uses / etc / shadow storage password file, this file is only

Readable by root.

3. Run the NTSYSV check to see if it is launched the back-end program that is not required.

Remember: Just start the background procedure you want to provide, the biggest

Extremely ensuring safety.

4. Create as few user accounts, continuously upgrading the softness of security vulnerabilities

Package.

转载请注明原文地址:https://www.9cbs.com/read-3517.html

New Post(0)