Linux_2.4_Firewall_designl-fw-a4.pdf
(
306 KB
)
Pobierz
7547337 UNPDF
Linux 2.4 stateful firewall design
Presented by developerWorks, your source for great tutorials
ibm.com/developerWorks
Table of Contents
If you're viewing this document online, you can click any of the topics below to link directly to that section.
1.
About
this
tutorial
2
2.
First
steps
3
3.
Defining
rules
6
4.
Stateful
firewalls
8
5.
Stateful
improvements
12
6.
Stateful
servers
17
7.
Building
a
better
server
firewall
20
8.
Resources
22
Linux 2.4 stateful firewall design
Page 1
Presented by developerWorks, your source for great tutorials
ibm.com/developerWorks
Section 1. About this tutorial
Should I take this tutorial?
This tutorial shows you how to use netfilter to set up a powerful Linux stateful firewall. All you
need is an existing Linux system that's currently using a Linux 2.4 kernel. A laptop,
workstation, router or server with a Linux 2.4 kernel will do.
You should be reasonably familiar with standard network terminology like IP addresses,
source and destination port numbers, TCP, UDP and ICMP, etc. By the end of the tutorial,
you'll understand how Linux stateful firewalls are put together and you'll have several
example configurations to use in your own projects.
About the author
For technical questions about the content of this tutorial, contact the author, Daniel Robbins,
at
drobbins@gentoo.org
.
Residing in Albuquerque, New Mexico, Daniel Robbins is the President/CEO of
Gentoo
Technologies,
Inc.
, the creator of
Gentoo Linux
, an advanced Linux for the PC, and the
Portage
system, a next-generation ports system for Linux. He has also served as a
contributing author for the Macmillan books
Caldera OpenLinux Unleashed
,
SuSE Linux
Unleashed
, and
Samba Unleashed
. Daniel has been involved with computers in some
fashion since the second grade, when he was first exposed to the Logo programming
language as well as a potentially dangerous dose of Pac Man. This probably explains why he
has since served as a Lead Graphic Artist at
SONY Electronic Publishing/Psygnosis
.
Daniel enjoys spending time with his wife, Mary, and his new baby daughter, Hadassah.
Linux 2.4 stateful firewall design
Page 2
Presented by developerWorks, your source for great tutorials
ibm.com/developerWorks
Section 2. First steps
Defining our goal
In this tutorial, we're going to put together a Linux stateful firewall. Our firewall is going to run
on a Linux laptop, workstation, server, or router; its primary goal is to allow only certain types
of network traffic to pass through. To increase security, we're going to configure the firewall
to drop or reject traffic that we're not interested in, as well as traffic that could pose a security
threat.
Getting the tools
Before we start designing a firewall, we need to do two things. First, we need to make sure
that the "iptables" command is available. As root, type "iptables" and see if it exists. If it
doesn't, then we'll need to get it installed first. Here's how: head over to
http://netfilter.samba.org
and grab the most recent version of iptables.tar.gz (currently
iptables-1.1.2.tar.gz) you can find. Then, install it by typing in the following commands
(output omitted for brevity):
# tar xzvf iptables-1.1.2.tar.gz
# cd iptables-1.1.2
# make
# make install
Kernel configuration, Part 1
Once installed, you should have an "iptables" command available for use, as well as the
handy iptables man page ("man iptables"). Great; now all we need is to make sure that we
have the necessary functionality built into the kernel. This tutorial assumes that you compile
your own kernels. Head over to /usr/src/linux, and type "make menuconfig" or "make
xconfig"; we're going to enable some kernel network functionality.
Kernel configuration, Part 2
Under the "Networking options" section, make sure that you enable at least the following
options:
<*> Packet socket
[*] Network packet filtering (replaces ipchains)
<*> Unix domain sockets
[*] TCP/IP networking
[*] IP: advanced router
[*] IP: policy routing
[*] IP: use netfilter MARK value as routing key
[*] IP: fast network address translation
[*] IP: use TOS value as routing key
Linux 2.4 stateful firewall design
Page 3
Presented by developerWorks, your source for great tutorials
ibm.com/developerWorks
Then, under the "IP: Netfilter Configuration --- >" menu, enable
every option
so that
we'll have full netfilter functionality.
We won't use all the netfilter features, but it's good to
enable them so that you can do some experimentation later on.
Kernel configuration, Part 3
There's one networking option under the "Networking options" category that you
shouldn't
enable: explicit congestion notification. Leave this option disabled:
[ ] IP: TCP Explicit Congestion Notification support
If this option is enabled, your Linux machine won't be able to carry on network
communications with 8% of the Internet. When ECN is enabled, some packets that your
Linux box sends out will have the ECN bit set; however, this bit freaks out a number of
Internet routers, so it's very important that ECN is disabled.
OK, now that the kernel's configured correctly for our needs, compile a new one, install it,
and reboot. Time to start playing with netfilter :)
Firewall design basics
In putting together our firewall, the "iptables" command is our friend. It's what we use to
interact with the network packet filtering rules in the kernel. We'll use the "iptables" command
to create new rules, list existing rules, flush rules, and set default packet handling policies.
This means that to create our firewall, we're going to enter a series of iptables commands,
and here's the first one we're going to take a look at (please don't type this in just yet!)...
Firewall design basics, continued
# iptables -P INPUT DROP
You're looking at an almost "perfect" firewall. If you type in this command, you'll be incredibly
well protected against any form of incoming malicious attack. That's because this command
tells the kernel to drop all incoming network packets. While this firewall is extremely secure,
it's a bit silly. But before moving on, let's take a look at exactly how this command does what
it does.
Setting chain policy
An "iptables -P" command is used to set the default
policy
for a chain of packet filtering
rules. In this example, iptables -P is used to set the default policy for the INPUT chain, a
built-in chain of rules that's applied to every incoming packet. By setting the default policy to
DROP, we tell the kernel that any packets that reach the end of the INPUT rule chain should
be dropped (that is, discarded). And, since we haven't added any rules to the INPUT chain,
Linux 2.4 stateful firewall design
Page 4
Presented by developerWorks, your source for great tutorials
ibm.com/developerWorks
all packets reach the end of the chain, and all packets are dropped.
Setting chain policy, continued
Again, by itself this command is totally useless. However, it demonstrates a good strategy for
firewall design. We'll start by dropping all packets by default, and then gradually start opening
up our firewall so that it meets our needs. This will ensure that our firewall is as secure as
possible.
Linux 2.4 stateful firewall design
Page 5
Plik z chomika:
bohem
Inne pliki z tego folderu:
html_biblia.rar
(27981 KB)
access_2000_ksiega_eksperta.rar
(16770 KB)
borlandc++przyklady.rar
(13386 KB)
3d_studio_max.rar
(2542 KB)
abc_systemu_windows_xp.rar
(4587 KB)
Inne foldery tego chomika:
- Euro 2012
Pliki dostępne do 01.06.2025
Pliki dostępne do 08.07.2024
Pliki dostępne do 19.01.2025
Pliki dostępne do 21.01.2024
Zgłoś jeśli
naruszono regulamin