The importance of defensive in network security does not have to be said. Protecting the most common ways to use firewalls. The firewall is used as the first defense line of the network, which is usually placed between the external network and the network that needs to be protected. The easiest way is to directly place the firewall between the external network and enterprise network. All data traffic flowing into the enterprise network will pass through the firewall, so that all clients and servers of the company are in the protection of firewalls. This is simple and easy to some SMEs, and this solution is also good in some cases. However, this structure is relatively simple. There are many servers, clients such as servers, clients in the enterprise, and different resources are also different on security strength requirements. You cannot treat the server with the security level of the client, so that the server will be very dangerous; the same, you cannot treat the client with the security level of the server, so that users will feel very inconvenient.
Provides different security levels for different resources, consider building a region called "Demilitarized Zone" (DMZ). DMZ can be understood as a special network area different from the external network or the intranet. DMZ usually places a public server that does not contain confidential information, such as web, mail, ftp, etc. This visitors from the outer network can access the services in DMZ, but it is impossible to come into contact with corporate confidential or private information stored in the intranet. Even if the server is destroyed in DMZ, it will not affect the confidential information in the intranet.
Many firewall products offer DMZ interfaces. Hardware firewalls have an absolute advantage in performance and traffic due to the use of specialized hardware chips. The cost-effective price of the software firewall is very good, and the general enterprise uses a good effect. If you use Linux firewall, the cost will be lower. Therefore, it will be described here that a method of dividing the DMZ area on a Linux firewall.
Construct DMZ strategy
LINUX starts from the 2.4 kernel, officially uses iptables to replace the previous IPFWADM and IPChains to implement the packet filtering capability of management Linux. Linux's package filter is implemented by a kernel component called Netfilter. There are three tables in Netfilter, where the default table is also included in the Filter, which is the input chain responsible for data filtration of the external inflow network interface. It is responsible for filtering the data outputted by the network interface. The Output chain is responsible for Forward chains of the data filtering between the network interface. To build a firewall with DMZ, you need to use the settings for these chains. First, it is necessary to determine the data that flows from the network card (ETH0) connected to the external network, which is done on the input chain. If the target address of the data belongs to the DMZ network segment, the data is forwarded to the NIC (Eth1) connected to the DMZ network; if it is an internal network address, it is necessary to forward the data to the network card (Eth2) connected to the internal network. Table 1 shows the access relationship between the various networks.
Introduction DMZ internal network / yy external network n / ydmznn /
Table 1 Inter-network access relationship table
According to Table 1, the following six access control strategies can be clarified.
1. The intranet can access the external network
Users of the intranet clearly need to freely access the external network. In this strategy, the firewall needs to perform source address conversion.
2. Inline networks can access DMZ
This strategy is to facilitate internal network users to use and manage servers in DMZ.
3. The external network cannot access the intranet
Obviously, the internal data stored in the intranet is not allowed to access users.
4. Outer network can access DMZ
The server in DMZ itself is to provide services to the outside world, so the external network must be able to access DMZ. At the same time, the external network access DMZ needs to be converted from the firewall to the external address to the actual address of the server.
5.DMZ cannot access the intranet
Obviously, if this strategy is violated, it can further attract important data to the intranet when the invader captures DMZ.
6.DMZ cannot access the external network
This strategy also has exceptions, such as placing a mail server in DMZ, you need to access the external network, otherwise you will not work properly.
DMZ implementation
Filtering rules for Linux firewalls can be set according to the above access control policies. Hereinafter, in a fictional network environment, how to establish a corresponding firewall filtering rule based on the above six access control policies. The discussion and specific applications here will be different, but this discussion will help practical applications. The user can set according to the specific situation when actual application. The web topology of the virtual environment is shown in Figure 1. Figure 1 DMZ network topology map
As shown in Figure 1, the router is connected to the Internet and the firewall. The Linux server as a firewall uses three network cards: NIC ETH0 is connected to the router, and the NIC Eth1 is connected to the HUB of the DMZ area, and the NIC Eth2 is connected to the intranet HUB. As an abstract example, we use "[Introduction]" to represent the specific values such as "192.168.1.0/24". Similarly, there is "[outer network address]" and "[DMZ address]".
One of the principles is that one of the principles is to ban all data communication, and then open the necessary communication. Therefore, in the initial, the original rules of the system are cleared, and then set the INPUT, OUTPUT, FORWARD to discard all packets.
The corresponding firewall script is as follows:
Implementation of six strategies
1. The intranet can access the external network
The corresponding firewall script is as follows:
/ sbin / iptables -t nat -a postrouting -s [intranet address] -D [external network address] -o eth0 -j snat --to [NAT's true IP]
When data flows from the ETH0 connected to the external network, the source address of the data package from the intranet is changed to the true IP on the Internet, so that the host can communicate with the host of the external network. "[NAT's true IP]" indicates a true IP assigned to the NAT user, and there are several ways to write, separated by space, but at least one.
2. Inline networks can access DMZ
The corresponding firewall script is as follows:
/ sbin / iptables -a forward -s [intranet address] -D [DMZ address] -i eth2 -j accept
The above command allows all packets from the intranet, destination to DMZ.
3. The external network cannot access the intranet
The corresponding firewall script is as follows:
/ sbin / iptables -t nat -a preording -s [external network address] -D [intra network address] -i eth0 -j drop
The above command will come from the external network, and the data packets to the intranet are all discarded.
4. Outer network can access DMZ
In order to protect the servers in DMZ, the external network is also restricted to the DMZ access. The usual idea is that only the external network is allowed to access the specific services provided by the server in DMZ, such as HTTP.
The corresponding firewall script is as follows:
/ sbin / iptables -t nat -a preording -p tcp --dport 80 -d [True IP] -S [external network address] -i eth0 -j dnat --to [HTTP server assigned to the Internet Real IP]
/ sbin / iptables -a forward -p tcp -s [external network address] -D [actual IP of HTTP server] -i eth0 --dport 80 -j ACCEPT
/ sbin / iptables -a forward -p tcp -d [external network address] -s [actual IP] -i eth1 --sport 80! --Syn -j AccePt
/ sbin / iptables -t nat -a preording -s [external network address] -D [DMZ address] -i eth0 -j drop
The firewall script will open HTTP services so that only data packets of the HTTP service in DMZ can pass through the firewall.
5.DMZ cannot access the intranet
The corresponding firewall script is as follows:
/ sbin / iptables -a forward -s [dmz address] -D [intranet address] -i eth1 -j drop
The above command will discard all packets from DMZ to the intranet. 6.DMZ cannot access the external network
The corresponding firewall script is as follows:
/ sbin / iptables -t nat -a postrouting -p tcp --dport 25 -d [external network address] -s [IP] -o eth0 -j snat -to eth0 -j snat - TO is assigned to the Internet Real IP]
/ sbin / iptables -a forward -p tcp -s [IP] -D [external network address] -i eth1 --dport 25 -j accept
/ sbin / iptables -a forward -p tcp -d [ip] -s [outer network address] -i eth0 - Sport 25! --syn -j accept
The above command first allows the DMZ to connect the SMTP service port (25) of the external network, and then prohibit other packets from DMZ to the external network.
For the above basic strategies, the basic rules are implemented. In practical applications, it is necessary to set it according to specific conditions. As long as it is set, Linux can also become a good firewall. It is necessary to supplement that no matter what firewall can only provide limited protection. Setting the firewall is not equal to the network is safe, the key is to comprehensively use various safety means.
