Linux 24 stateful firewall design.docx
- 文档编号:7320979
- 上传时间:2023-05-11
- 格式:DOCX
- 页数:27
- 大小:28.92KB
Linux 24 stateful firewall design.docx
《Linux 24 stateful firewall design.docx》由会员分享,可在线阅读,更多相关《Linux 24 stateful firewall design.docx(27页珍藏版)》请在冰点文库上搜索。
Linux24statefulfirewalldesign
Linux2.4statefulfirewalldesign
PresentedbydeveloperWorks,yoursourceforgreattutorials
TableofContents
Ifyou'reviewingthisdocumentonline,youcanclickanyofthetopicsbelowtolinkdirectlytothatsection.
1.Aboutthistutorial2
2.Firststeps3
3.Definingrules6
4.Statefulfirewalls8
5.Statefulimprovements12
6.Statefulservers17
7.Buildingabetterserverfirewall21
8.Resources23
Linux2.4statefulfirewalldesignPage1
Section1.Aboutthistutorial
ShouldItakethistutorial?
ThistutorialshowsyouhowtousenetfiltertosetupapowerfulLinuxstatefulfirewall.Allyou
needisanexistingLinuxsystemthat'scurrentlyusingaLinux2.4kernel.Alaptop,
workstation,routerorserverwithaLinux2.4kernelwilldo.
YoushouldbereasonablyfamiliarwithstandardnetworkterminologylikeIPaddresses,source
anddestinationportnumbers,TCP,UDPandICMP,etc.Bytheendofthetutorial,you'll
understandhowLinuxstatefulfirewallsareputtogetherandyou'llhaveseveralexample
configurationstouseinyourownprojects.
Abouttheauthor
Fortechnicalquestionsaboutthecontentofthistutorial,contacttheauthor,DanielRobbins,at
drobbins@gentoo.org.
ResidinginAlbuquerque,NewMexico,DanielRobbinsisthePresident/CEOofGentoo
Technologies,Inc.,thecreatorofGentooLinux,anadvancedLinuxforthePC,andthe
Portagesystem,anext-generationportssystemforLinux.Hehasalsoservedasa
contributingauthorfortheMacmillanbooksCalderaOpenLinuxUnleashed,SuSELinux
Unleashed,andSambaUnleashed.Danielhasbeeninvolvedwithcomputersinsomefashion
sincethesecondgrade,whenhewasfirstexposedtotheLogoprogramminglanguageaswell
asapotentiallydangerousdoseofPacMan.Thisprobablyexplainswhyhehassinceserved
asaLeadGraphicArtistatSONYElectronicPublishing/Psygnosis.Danielenjoysspending
timewithhiswife,Mary,andhisnewbabydaughter,Hadassah.
PresentedbydeveloperWorks,yoursourceforgreattutorials
Linux2.4statefulfirewalldesignPage2
Section2.Firststeps
Definingourgoal
Inthistutorial,we'regoingtoputtogetheraLinuxstatefulfirewall.Ourfirewallisgoingtorun
onaLinuxlaptop,workstation,server,orrouter;itsprimarygoalistoallowonlycertaintypes
ofnetworktraffictopassthrough.Toincreasesecurity,we'regoingtoconfigurethefirewallto
droporrejecttrafficthatwe'renotinterestedin,aswellastrafficthatcouldposeasecurity
threat.
Gettingthetools
Beforewestartdesigningafirewall,weneedtodotwothings.First,weneedtomakesurethat
the"iptables"commandisavailable.Asroot,type"iptables"andseeifitexists.Ifitdoesn't,
thenwe'llneedtogetitinstalledfirst.Here'show:
headovertohttp:
//netfilter.samba.organd
grabthemostrecentversionofiptables.tar.gz(currentlyiptables-1.1.2.tar.gz)youcanfind.
Then,installitbytypinginthefollowingcommands(outputomittedforbrevity):
#tarxzvfiptables-1.1.2.tar.gz
#cdiptables-1.1.2
#make
#makeinstall
Kernelconfiguration,Part1
Onceinstalled,youshouldhavean"iptables"commandavailableforuse,aswellasthehandy
iptablesmanpage("maniptables").Great;nowallweneedistomakesurethatwehavethe
necessaryfunctionalitybuiltintothekernel.Thistutorialassumesthatyoucompileyourown
kernels.Headoverto/usr/src/linux,andtype"makemenuconfig"or"makexconfig";we're
goingtoenablesomekernelnetworkfunctionality.
Kernelconfiguration,Part2
Underthe"Networkingoptions"section,makesurethatyouenableatleastthefollowing
options:
<*>Packetsocket
[*]Networkpacketfiltering(replacesipchains)
<*>Unixdomainsockets
[*]TCP/IPnetworking
[*]IP:
advancedrouter
[*]IP:
policyrouting
[*]IP:
usenetfilterMARKvalueasroutingkey
PresentedbydeveloperWorks,yoursourceforgreattutorials
Linux2.4statefulfirewalldesignPage3
[*]IP:
fastnetworkaddresstranslation
[*]IP:
useTOSvalueasroutingkey
Then,underthe"IP:
NetfilterConfiguration--->"menu,enableeveryoptionsothat
we'llhavefullnetfilterfunctionality.Wewon'tuseallthenetfilterfeatures,butit'sgoodto
enablethemsothatyoucandosomeexperimentationlateron.
Kernelconfiguration,Part3
There'sonenetworkingoptionunderthe"Networkingoptions"categorythatyoushouldn't
enable:
explicitcongestionnotification.Leavethisoptiondisabled:
[]IP:
TCPExplicitCongestionNotificationsupport
Ifthisoptionisenabled,yourLinuxmachinewon'tbeabletocarryonnetworkcommunications
with8%oftheInternet.WhenECNisenabled,somepacketsthatyourLinuxboxsendsout
willhavetheECNbitset;however,thisbitfreaksoutanumberofInternetrouters,soit'svery
importantthatECNisdisabled.
OK,nowthatthekernel'sconfiguredcorrectlyforourneeds,compileanewone,installit,and
reboot.Timetostartplayingwithnetfilter:
)
Firewalldesignbasics
Inputtingtogetherourfirewall,the"iptables"commandisourfriend.It'swhatweuseto
interactwiththenetworkpacketfilteringrulesinthekernel.We'llusethe"iptables"command
tocreatenewrules,listexistingrules,flushrules,andsetdefaultpackethandlingpolicies.This
meansthattocreateourfirewall,we'regoingtoenteraseriesofiptablescommands,and
here'sthefirstonewe'regoingtotakealookat(pleasedon'ttypethisinjustyet!
)...
Firewalldesignbasics,continued
#iptables-PINPUTDROP
You'relookingatanalmost"perfect"firewall.Ifyoutypeinthiscommand,you'llbeincredibly
wellprotectedagainstanyformofincomingmaliciousattack.That'sbecausethiscommand
tellsthekerneltodropallincomingnetworkpackets.Whilethisfirewallisextremelysecure,it's
abitsilly.Butbeforemovingon,let'stakealookatexactlyhowthiscommanddoeswhatit
does.
PresentedbydeveloperWorks,yoursourceforgreattutorials
Linux2.4statefulfirewalldesignPage4
Settingchainpolicy
An"iptables-P"commandisusedtosetthedefaultpolicyforachainofpacketfilteringrules.
Inthisexample,iptables-PisusedtosetthedefaultpolicyfortheINPUTchain,abuilt-in
chainofrulesthat'sappliedtoeveryincomingpacket.BysettingthedefaultpolicytoDROP,
wetellthekernelthatanypacketsthatreachtheendoftheINPUTrulechainshouldbe
dropped(thatis,discarded).And,sincewehaven'taddedanyrulestotheINPUTchain,all
packetsreachtheendofthechain,andallpacketsaredropped.
Settingchainpolicy,continued
Again,byitselfthiscommandistotallyuseless.However,itdemonstratesagoodstrategyfor
firewalldesign.We'llstartbydroppingallpacketsbydefault,andthengraduallystartopening
upourfirewallsothatitmeetsourneeds.Thiswillensurethatourfirewallisassecureas
possible.
PresentedbydeveloperWorks,yoursourceforgreattutorials
Linux2.4statefulfirewalldesignPage5
Section3.Definingrules
A(small)improvement
Inthisexample,let'sassumethatwe'redesigningafirewallforamachinewithtwonetwork
interfaces,eth0andeth1.Theeth0networkcardisconnectedtoourLAN,whiletheeth1
networkcardisattachedtoourDSLrouter,ourconnectiontotheInternet.Forsuchasituation,
wecouldimproveour"ultimatefirewall"byaddingonemoreline:
iptables-PINPUTDROP
iptables-AINPUT-i!
eth1-jACCEPT
Thisadditional"iptables-A"lineaddsanewpacketfilteringruletotheendofourINPUT
chain.Afterthisruleisadded,ourINPUTchainconsistsofasingleruleandadrop-by-default
policy.Now,let'stakealookatwhatoursemi-completefirewalldoes.
FollowingtheINPUTchain
Whenapacketcomesinonanyinterface(lo,eth0,oreth1),thenetfiltercodedirectsittothe
INPUTchainandcheckstoseeifthepacketmatchesthefirstrule.Ifitdoes,thepacketis
accepted,andnofurtherprocessingisperformed.Ifnot,theINPUTchain'sdefaultpolicyis
enforced,andthepacketisdiscarded(dropped).
That'stheconceptualoverview.Specifically,ourfirstrulematchesallpacketscominginfrom
eth0andlo,immediatelyallowingthemin.Anypacketscominginfrometh1aredropped.So,if
weenablethisfirewallonourmachine,it'llbeabletointeractwithourLANbutbeeffectively
disconnectedfromtheInternet.Let'slookatacoupleofwaystoenableInternettraffic.
Traditionalfirewalls,Part1
Obviously,forourfirewalltobeuseful,weneedtoselectivelyallowsomeincomingpacketsto
reachourmachineviatheInternet.Therearetwoapproachestoopeningupourfirewalltothe
pointwhereitisuseful--oneusesstaticrules,andtheotherusesdynamic,statefulrules.
Traditionalfirewalls,Part2
Let'stakedownloadingWebpagesasanexample.Ifwewantourmachinetobeableto
downloadWebpagesfromtheInternet,wecanaddastaticrulethatwillalwaysbetruefor
everyincominghttppacket,regardlessoforigin:
iptables-AINPUT--sport80-jACCEPT
PresentedbydeveloperWorks,yoursourceforgreattutorials
Linux2.4statefulfirewalldesignPage6
SinceallstandardWebtrafficoriginatesfromasourceportof80,thisruleeffectivelyallows
ourmachinetodownloadWebpages.However,thistraditionalapproach,whilemarginally
acceptable,suffersfromabunchofproblems.
Traditionalfirewallbummers,Part1
Here'saproblem:
whilemostWebtrafficoriginatesfromport80,somedoesn't.So,whilethis
rulewouldworkmostofthetime,therewouldberareinstanceswherethisrulewouldn't
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Linux 24 stateful firewall design