How to set a reliable firewall system protection company internal network
Release Date: 1999-9-12
content:
Source: China Linux Forum
Author: Wu Ah Ting
Background: The company is connected to ISP through a DDN line, consider using Linux service
Establish a firewall with 192.168.11.0, firewall
The interface network card is connected to the router and then connected to the ISP router and assigns its external interface.
The network card is a permanent IP address on an internet.
Function: Due to another mail server system inside the company,
Users browse external HTTP / HTTPS / FTP website only through this line (Squid
Proxy), and allows some users to send and receive email from the outside, use
Iplayer, ICQ, etc. (IP masquerading).
Key: How to configure a strict firewall system to prevent from the Internet
Various external attacks.
The required hardware and software: Redhat Linux 5.2, two 3com 3C509B ISA
Network card
Implementation process:
1. Set up 3C5X9CFG.exe with 3CM 3C509B network card under DOS
Configure 3C509B network cards, prohibit their PNP function, and manually configure them for different I / O
Address and interrupt numbers, two of my uses are 0x320, 10 and 0x300, 5, respectively.
2. Configure / etc / sysconfig / network-scripts / ifcfg-eth0
And IFCFG-Eth1, general, Eth0 is the external interface network card of the firewall, Eth1 is within
The network card interface sets the default gateway to the Ethernet port of the router connected to the firewall.
Site, if you have set the default gateway, you can also manually in /etc/rc.d/rc.local.
Set, automatically perform change operations after startup, such as your external interface network card permanent IP
The address is A.b.c.d, the original default gateway is 192.168.11.1.
Here is my /etc/rc.d/rc.local file:
Echo 1> / Proc / Sys / Net / IPv4 / IP_FORWARD
/ SBIN / ROUTE DEL Default GW 192.168.11.1
/ sbin / route add default gw a.b.c.d
/ sbin / modprobe ip_masq_ftp
/ sbin / modprobe ip_masq_irc
/ sbin / modprobe ip_masq_raudio
/ SBIN / MODPROBE IP_MASQ_VDOLIVE
/etc/rc.d/firewall.rules
3. When installing the system, choose as few packages as possible (the smaller packages of the package
All), after completion, configure /etc/inetd.conf, just enable FTP and Telnet services,
Easy internal maintenance, but simultaneously configure /etc/hosts.allow ,/etc/hosts.deny, only
Allow several specified machines from the internal network card to use Telnet / FTP services, add all: all
To /etc/hosts.deny, all other services are prohibited.
4. Create as few required accounts, enable Shadow Password,
Make the root password more difficult; and upgrade the kernel from the Updates.Redhat.com site.
And fix all packages with security vulnerabilities.
5. Here is my /etc/rc.d/firewall.rules (need to be executed)
Authority)
[root @ sh-proxy network-scripts] # more
/etc/rc.d/firewall.rules
#! / bin / sh
Echo "Starting FireWall Rules ..." # Clear all previous firewall rules
# Refresh All FireWall Rules
/ SBIN / IPFWADM -F -F
/ sbin / ipfwadm -i -f
/ SBIN / IPFWADM -OL
# Default Reject All Enter (I), Outter (O) and Forward (F) Package
# setup default firewall rules
/ sbin / ipfwadm -f -p Deny
/ sbin / ipfwadm -i -p deny
/ SBIN / IPFWADM -O -P Deny
# Set the permanent IP address of the firewall external network card interface
ISP_IP = a.b.c.d
# Accept all the packets on the local loop interface
# setup loopback interface
/ sbin / ipfwadm -i -a accept -wl
/ sbin / ipfwadm -o -a accept -w lo
# Allows all users of the internal network segment to enter and exit the internal network card interface of the firewall
# allow all in Security Traffic
/ sbin / ipfwadm -i -a accept -w eth1 -s
192.168.11.0/24
/ sbin / ipfwadm -o -a accept -w eth1 -d
192.168.11.0/24
# Block any IP package spoof, look at the following rules
# disabling ip spoof
# Block any Class C retention address from the firewall external interface
/ sbin / ipfwadm -i -a deny -w eth0 -s
192.168.0.0/16
/ sbin / ipfwadm -o -a deny -w eth0 -d
192.168.0.0/16
# Prevent any package from entering and exterior the firewall interface to declare from itself
/ sbin / ipfwadm -i -a deny -w eth0 -s $ ISP_IP / 32
/ sbin / ipfwadm -o -a deny -w eth0 -d $ ISP_IP / 32
# Prevent any external world from directly communicating with the internal network segment of the firewall
/ sbin / ipfwadm -i -a deny -w eth0 -d
192.168.0.0/16
/ SBIN / IPFWADM -O -A DENY -W ETH0 -S
192.168.0.0/16
# Block any package from declaring is or from a local loop interface
#refuse packets claiming to be to or from the
Loopback Interface
/ sbin / ipfwadm -i -a deny -w eth0 -s 127.0.0.0/8
/ sbin / ipfwadm -i -a deny -w eth0 -d 127.0.0.0/8
/ sbin / ipfwadm -o -a deny -w eth0 -s 127.0.0.0.0/8
/ sbin / ipfwadm -o -a deny -w eth0 -d 127.0.0.0/8
# 禁 任何 任何 外 广 包 包 不 不 不 包 包 包
#Refuse Broadcast Address Source Packets
/ sbin / ipfwadm -i -a deny -w eth0 -s
255.255.255.255
/ sbin / ipfwadm -i -a deny -w eth0 -d 0.0.0.0
#refuse multicast / Anycast / Broadcast Address
/ sbin / ipfwadm -i -a deny -w eth0 -s 240.0.0.0.0.0/3
# Forward the package of the firewall internal interface in the internal network segment
#forwarding all in TransNal Traffic
/ sbin / ipfwadm -f -a accept -w eth1 -s
192.168.11.0/24 -d 192.168.11.0/24# Set IP camouflage rules, allowing some machines to camouflage
#setup ip masquerading rules
/ sbin / ipfwadm -f -a accept -m -w eth0 -s
192.168.11.11/32
/ sbin / ipfwadm -f -a accept -m -w eth0 -s
192.168.11.12/32
/ sbin / ipfwadm -f -a accept -m -w eth0 -s
192.1681.13/32
# Blocks from attacking from the outside world with ICMP protocol
#prevent Denial of Service Attacks Based on ICMP
Bombs
/ sbin / ipfwadm -i -a accept -p ICMP -W ETH0 -S
Any / 0 0 3 4 11 12 - D $ ISP_IP / 32
/ sbin / ipfwadm -o -a accept -p icmp -w eth0 -s
$ ISP_IP / 32 3 4 8 12 -D 0.0.0.0/0
# Allow internal users to access external HTTP servers through firewalls
#http client (80)
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
ANY / 0 80 -D $ ISP_IP / 32 1024: 6553
5
# Allow internal users to protect external HTTPS servers through firewall
#https client (443)
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
Any / 0 443-D $ ISP_IP / 32 1024: 655
35
# Allow internal users to receive from the outside POP3 server through the firewall
# pop3 client (110)
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
ANY / 0 110 -D $ ISP_IP / 32 1024: 655
35
# Allow internal users to protect external FTP servers through firewall
#ftp client (20, 21)
#RESPONSE to Ougoing Request
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
Any / 0 21 -D $ ISP_IP / 32 1024: 6553
5
#NORMAL MODE DATA CHANNEL
/ sbin / ipfwadm -i -a accept -p tcp -w eth0 -s
ANY / 0 20 -D $ ISP_IP / 32 1024: 65535
#Passive Mode Data Channel Responses
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
ANY / 0 1024: 65535 -D $ ISP_IP / 32 1
024: 65535
# Allow internal users to send information to the external SMTP server through the firewall
#SMTP Client (25)
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
ANY / 0 25 -D $ ISP_IP /
32 1024: 65535
# Allow internal users to set DNS to DNS servers on external internet
#Dns client (53)
/ sbin / ipfwadm -i -a accept -p udp -w eth0 -s
202.96.199.133/32 53 -D $ ISP_IP / 32
1024: 65535
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
202.96.199.133/32 53 -D $ ISP_IP /
32 1024: 65535
# Allow internal users to access chat rooms on the Internet
#Irc client (6667)
/ sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -sany / 0 6667 -D $ ISP_IP / 32 1024: 65
535
# Allow internal users to use RealPlay
#Realaudio client
# / sbin / ipfwadm -i -a accept -p tcp -k -w eth0 -s
Any / 0 1024: 65535 -D $ ISP_IP / 32
554 7070 7071
#udp is the preferred method
# / sbin / ipfwadm -i -a accept -p udp -w eth0 -s
Any / 0 1024: 65535-D $ ISP_IP / 32 697
0: 7170
# Allow the firewall to run xntpd to make clock synchronization with the clock on the Internet
#NTP Time Clients (123)
/ sbin / ipfwadm -i -a accept -p udp -w eth0 -s
Tock.usno.navy.MIL 123 -D $ ISP_IP / 3
2 1024: 65535
# Allow internal users to use ICQ
#Icq Client (4000)
/ sbin / ipfwadm -i -a accept -p udp -b -w eth0 -s
Icq.mirabilis.com 4000 -D $ ISP_I
P / 32 1024: 65535
/ sbin / ipfwadm -i -a accept -p tcp -w eth0 -s
Icq.mirabilis.com 4000 -D $ ISP_IP / 3
2 1024: 65535
# Allow all packages to output from the firewall external interface
# allow all packets from external interface to
Output to outside world
/ sbin / ipfwadm -o -a accept -w eth0 -s $ ISP_IP / 32
Echo "DONE"
Note: 1. In the process of use of ICQ, I found that I may be lucky in one day.
The line multiple ICQ rules can ensure that users in the internal network can connect to the ICQ server at all times, so I built
A crontab work image below:
[root @ sh-proxy rc.d] # crontab -e
15 7, 8, 15, 16, 20, 22 * * * / usr / bin / ICQ
0 10 * * 1, 2, 3, 4, 5 /etc/rc.d/init.d/xntpd
RESTART
0,20,40 * * * * / bin / sync
[root @ sh-proxy rc.d] # more / usr / bin / icq
#! / bin / sh
ISP_IP = a.b.c.d
/ sbin / ipfwadm -i -a accept -p udp -b -w eth0 -s
Icq.mirabilis.com 4000 -D $ ISP_IP / 32 1024: 65535
/ sbin / ipfwadm -i -a accept -p tcp -b -w eth0 -s
Icq.mirabilis.com 4000 -D $ ISP_IP / 32 1024: 65535
2. The focus of this article is how to access the firewall from the Internet
Attack, you can't effectively prevent the attack from the user from the internal network, if you need to set it,
Can be set according to your company's environment.
3. This article sets the tools used by the firewall for IPFWADM.
Users of Redhat 6.0 or any 2.2 kernel, please use ipchains.
4. This article allows many services, icons
RealPlay, NTP, ICQ, SMTP, POP3, of course, the more service, the worse security, can be cut as needed.