Build DMZ with Linux firewall
Summary
Provides different security levels for different resources, consider building a region called "Demilitarized Zone" (DMZ). DMZ can be understood as a special network area different from the external network or the intranet. DMZ usually places a public server that does not contain confidential information, such as web, mail, ftp, etc. This visitors from the outer network can access the services in DMZ, but it is impossible to come into contact with corporate confidential or private information stored in the intranet. Even if the server is destroyed in DMZ, it will not affect the confidential information in the intranet. (2004-11-14 14:46:52)
By lanf, source: http://tech.ccidnet.com/pub/Article/c302_a176695_p1.html
Author: Yu Haifa Source: SEOUL - The importance of open systems world defense in network security do not have to say any more. Protecting the most common ways to use firewalls. The firewall is used as the first defense line of the network, which is usually placed between the external network and the network that needs to be protected. The easiest way is to directly place the firewall between the external network and enterprise network. All data traffic flowing into the enterprise network will pass through the firewall, so that all clients and servers of the company are in the protection of firewalls. This is simple and easy to some SMEs, and this solution is also good in some cases. However, this structure is relatively simple. There are many servers, clients such as servers, clients in the enterprise, and different resources are also different on security strength requirements. You cannot treat the server with the security level of the client, so that the server will be very dangerous; the same, you cannot treat the client with the security level of the server, so that users will feel very inconvenient. Provides different security levels for different resources, consider building a region called "Demilitarized Zone" (DMZ). DMZ can be understood as a special network area different from the external network or the intranet. DMZ usually places a public server that does not contain confidential information, such as web, mail, ftp, etc. This visitors from the outer network can access the services in DMZ, but it is impossible to come into contact with corporate confidential or private information stored in the intranet. Even if the server is destroyed in DMZ, it will not affect the confidential information in the intranet. Many firewall products offer DMZ interfaces. Hardware firewalls have an absolute advantage in performance and traffic due to the use of specialized hardware chips. The cost-effective price of the software firewall is very good, and the general enterprise uses a good effect. If you use Linux firewall, the cost will be lower. Therefore, it will be described here that a method of dividing the DMZ area on a Linux firewall. Building DMZ strategy Linux begins with 2.4 kernel, formally use iptables to replace the previous IPFWADM and IPChains to implement management Linux package filtering function. Linux's package filter is implemented by a kernel component called Netfilter. There are three tables in Netfilter, where the default table is also included in the Filter, which is the input chain responsible for data filtration of the external inflow network interface. It is responsible for filtering the data outputted by the network interface. The Output chain is responsible for Forward chains of the data filtering between the network interface. To build a firewall with DMZ, you need to use the settings for these chains. First, it is necessary to determine the data that flows from the network card (ETH0) connected to the external network, which is done on the input chain. If the target address of the data belongs to the DMZ network segment, the data is forwarded to the NIC (Eth1) connected to the DMZ network; if it is an internal network address, it is necessary to forward the data to the network card (Eth2) connected to the internal network. Table 1 shows the access relationship between the various networks. Table 1 Inter-network access relationship table
Introduction DMZ Introduction / YY Outlet N / YDMZNN / According to Table 1, the following six access control strategies can be clarified. 1. The intranet can access the outer network inside the network clearly needs to freely access the external network. In this strategy, the firewall needs to perform source address conversion. 2. Instenette Access DMZ This policy is to facilitate internal network users to use and manage servers in DMZ. 3. The external network cannot access the intranet. It is clear that the internal network is stored in internal data, which does not allow users to access users. 4. The external network can access the server in DMZ DMZ itself is to provide services to the outside world, so the external network must be able to access DMZ. At the same time, the external network access DMZ needs to be converted from the firewall to the external address to the actual address of the server. 5.DMZ cannot access the intranet. It is clear that if this strategy is violated, it can further attacked important data to the intranet when the invader captured DMZ. 6.DMZ cannot access the external network This policy is also exception, such as placing the mail server in the DMZ, you need to access the external network, otherwise you will not work. DMZ implementation According to the above access control policies, the filter rules of the Linux firewall can be set. Hereinafter, in a fictional network environment, how to establish a corresponding firewall filtering rule based on the above six access control policies. The discussion and specific applications here will be different, but this discussion will help practical applications. The user can set according to the specific situation when actual application. The web topology of the virtual environment is shown in Figure 1. Figure 1 DMZ network topology map
As shown in Figure 1, the router is connected to the Internet and the firewall. The Linux server as a firewall uses three network cards: NIC ETH0 is connected to the router, and the NIC Eth1 is connected to the HUB of the DMZ area, and the NIC Eth2 is connected to the intranet HUB. As an abstract example, we use "[Introduction]" to represent the specific values such as "192.168.1.0/24". Similarly, there is "[outer network address]" and "[DMZ address]". One of the principles is that one of the principles is to ban all data communication, and then open the necessary communication. Therefore, in the initial, the original rules of the system are cleared, and then set the INPUT, OUTPUT, FORWARD to discard all packets. The corresponding firewall script is as follows:
# Flush out the tables and delete all user-defined chains
/ sbin / iptables -f
/ sbin / iptables -x
/ sbin / iptables -t nat -f
/ sbin / iptables -t nat -x
#DOP EVERY PACKET
/ sbin / iptables -p input drop
/ sbin / iptables -P Output Drop
/ sbin / iptables -p forward drop Next, the implementation of six strategies one by one. 1. The internal network can access the firewall script fragment corresponding to the external network, as follows: / sbin / iptables -t nat -a postrouting -s [intra network address] -D [external network address] -o eth0 -j snat --to [NAT Real IP] When the data flows from the ETH0 connected to the external network, the source address from the intranet is changed to the true IP on the Internet, so that the host can communicate with the host of the external network. "[NAT's true IP]" indicates a true IP assigned to the NAT user, and there are several ways to write, separated by space, but at least one. 2. Inline networks can access the firewall script corresponding to DMZ, as follows: / sbin / iptables -a forward -s [intranet address] -D [DMZ address] -i eth2 -j account or above command allows all from the intranet, destination Pass for DMZ. 3. The external network cannot access the internal network corresponding firewall script segment as follows: / sbin / iptables -t nat -a preording -s [外网] -d [intranet address] -i eth0 -j DROP or above command will come from outside The net, the packets to the intranet are all discarded. 4. The external network can access DMZ to protect the server in DMZ, and the external network is restricted to DMZ. The usual idea is that only the external network is allowed to access the specific services provided by the server in DMZ, such as HTTP. The corresponding firewall script is as follows: / sbin / iptables -t nat -a preording -p tcp --dport 80 -d [IP] -S [external network address] -i eth0 -j, allocated to the Internet DNAT - TO [HTTP server actual IP] / sbin / iptables -a forward -p tcp -s [external network address] -D [actual IP of HTTP server] -i eth0 --dport 80 -j ACCEPT / SBIN / iptables -a forward -p tcp -d [external network address] -S [actual IP] -i eth1 --sport 80! --syn -j accept / sbin / iptables -t nat -a preording -s [ Foreign Network Address] -D [DMZ Address] -i eth0 -j DROP This firewall script will open HTTP services so that only data packets of the HTTP service in DMZ can pass the firewall. 5.DMZ cannot access the firewall script of the intranet, the following: / sbin / iptables -a forward -s [DMZ Address] -D [Internal Network Address] -i Eth1 -j DROP or above the command will drop all from DMZ to the intranet Packet.
