Firewall configuration requirements are as follows: 1. denial of all outside incoming, outgoing and forwarded packets.
2. allow all outgoing TCP connection: we allow such as Web/telnet/ssh/FTP outgoing. 3. allow outgoing TCP connection returns the packets through the firewall, you will need to check the status of the package. 4. allow to send a UDP connection on port 53 on the specified domain name server, but only allow Wei into DNS packets to your internal domain name server chivas. 5. create allows kernel interface from one network to another network interface appropriate to forward packets for the rule: from the network to the Internet delivery of packets from the internal interface eth0 to eth1 forwarded the external interface. Returns the number of packets sent back in the opposite direction. 6. in the kernel to enable IP forwarding. Build a basic firewall root @ linux-tysroot] # sysctl-p-setting IP forwarding root @ linux-tysroot] # cat/proc/sys/net/ipv4/ip_forward-----confirm IP forwarding, you can see results as 1root root @ lg] # iptables-F-clear preset table filter all rules in a chain of rule root @ lg root] # iptables-X-clear preset table filter in a custom rule chain rule root @ lg root] # iptables-F – tmangle-clear all rules in the mangle table chain rule root @ lg root] # iptables-tmangle-X-----clear table mangle any custom rules in the chain rule root @ lg root] # iptables-F-tnat-clear all rules in the nat table chain rule root @ lg root] # iptables-tnat-X-----clear table nat all custom rule in a chain of rule root @ linux-tys root] # iptables-AINPUT-ptcp--dport22-jACCEPTroot @ lg root] # iptables-AOUTPUT-ptcp--sport22-mstate--stateESTABLISHED-jACCEPTroot @ linux-tys root] # iptables-PINPUTDROProot @ linux-tys root] # iptables-POUTPUTDROProot @ linux-tys root] # iptables-PFORWARDDROProot @ linux-tys root] # iptables-AOUTPUT-jACCEPT-olo--the two acts in loopback interface allows internal network traffic root @ linux-tys root] # iptables-AINPUT-jACCEPT-iloroot @ linux-tys root] # iptables-AOUTPUT-jACCEPT-oeth1-ptcp-mstate--stateESTABLISHED, NEW-----this rule set new and established TCP connection packets will be forwarded to the outside through eth1, without indicating the source and destination addresses represent any address root @ linux-tys root] # iptables-AINPUT-ieth0-s192.168.1.0/24-jACCEPT--this allows you to arrive from the private network interface of all traffic networks, the following rule is the check arrives on the outside of the network interface, each packet is connected through belonging to root @ linux-tys root] # iptables-AINPUT-ieth1-mstate--stateESTABLISHED, RELATED-jACCEPT following configuration rules from a network interface forwarding to another: the first rule receives all packets from the network, and is forwarded to the external network card eth1; the second rule reach the external network interface eth1 on packets, such as belonging to the existing connection is forwarded to the intranet. Root @ linux-tys root] # iptables-AFORWARD-ieth0-jACCEPT-root @ linux-tys root] # iptables-AFORWARD-ieth1-mstate--stateESTABLISHED, establish NAT rules RELATED-jACCEPT Finally, POSTROUTING table packets sent out for translation, the rule set to convection from the external network interface eth1 packets, and the source address the address becomes eth1. Root @ linux-tys root] # modprobeiptable_nat--load the NAT module root @ linux-tys root] # iptables-APOSTROUTING-tnat-oeth1-jSNAT--to192.168.32.254 backup and recovery 1, backup, firewall settings: root @ lg root] # iptables-save > iptablesrules.txt this set as iptablesdefault.txt2, remove the firewall settings: root @ lg root] # iptables-F remove all chain。 3. Restore Firewall settings: root @ lg root] # iptables-restoreiptablesrules.txt enable Firewall Automation root @ linux-tys root] # iptables-save >/etc/sysconfig/iptables---saved rules to/etc/syscofig/iptables, and self-starting root @ linux-tys root] #/etc/init.d/iptablesstart/stop/restart----saved you can use this command to control its status by using custom chain consolidation firewall basic rule does not check in addition to the TCP connection state matters other than that available through custom chain to extend basic firewall to help handle the increased complexity, more complex rule sets to specify which of the TCP port you can use the source address of the connection. At the same time create specific rules for processing a single connection can reduce the chance of hackers use port. The firewall configuration is as follows: 1. first of all it is enable forwarding, clearing all rules, set the default for DROP in loopback interfaces allow all internal network traffic. And then we will create two custom chain to handle network and external network interfaces packet arrived. The following is SSH access to reservations. 2. create a PRIV chain to handle traffic from a private network. This chain delivery has returned packets, enters the firewall SSH packets, as well as destinations for Internet FTP, SSH and http packets, then the INPUT chain rule-oriented to a chain. Root @ linux-tys root] # iptables-NPRIVroot @ linux-tys root] # iptables-APRIV-mstate--stateESTABLISHED, RELATED-jACCEPTroot @ linux-tys root] # iptables-APRIV-ptcp – s192.168.1.0/24 – d192.168.1.254--dport22-jACCEPTroot @ linux-tys root] # iptables-APRIV-pudp-d0/0--dport53-jACCEPTroot @ linux-tys root] # iptables-APRIV-ptcp-d0/0--dport21-jACCEPTroot @ linux-tys root] # iptables-APRIV-ptcp-d0/0--dport80-jACCEPTroot @ linux-tys root] # iptables-AINPUT-ieth0-jPRIVroot @ linux-tys root] # iptables-AOUTPUT – oeth0-jPRIV3, creating a chain to handle from the DMZ (if used), as well as external network traffic. This chain discarded from a private network and the DMZ network source address all packets, this is because, first, the former is spoofing addresses, secondly, according to the policy, do not allow traffic from DMZ to enter into the network. The link from existing connections, and addressing to the Internet Pack. Root @ linux-tys root] # iptables-NEXTroot @ linux-tys root] # iptables-AEXT-s192.168.32.0/24-jDROProot @ linux-tys root] # iptables-AEXT-s192.168.1.0/24-jDROProot @ linux-tys root] # iptables-AEXT-s0/0-ptcp--dport1024: 65535-jACCEPTroot @ linux-tys root] # iptables-AEXT-sany/0-d192.168.32.254-jACCEPTroot @ linux-tys root] # iptables-AINPUT-ieth1-jEXT--configure the INPUT chain which will flow oriented to EXTroot @ linux-tys root] # iptables-AOUTPUT – oeth1-jEXT4, modify, FORWARD chain to create a gateway feature. Since the intranet interfaces to new or existing connection is forwarded to the external interface. Root @ linux-tys root] # iptables-AFORWARD-ieth0-mstate--stateNEW, ESTABLISHED, RELATED-jACCEPTroot @ linux-tys root] # iptables-AFORWARD-ieth1-mstate--stateESTABLISHED, SNAT rules RELATED-jACCEPT5, build. On the source address of the function convert to 192.168.32.254. This step to achieving gateway firewall features. Root @ linux-tys root] # modprobeiptable_natroot @ linux-tys root] # iptables-APOSTROUTING-tnat-oeth1-jSNAT--to192.168.32.2546, configure OUTPUT chain. To allow messages from the firewall service of packet transmission to a private network and Internet. root@linux-tys rooT] # iptables-AOUTPUT-oeth0-d192.168.1.0/24-jACCEPTroot @ linux-tys root] # iptables-AOUTPUT-oeth1-mstate--stateNEW, ESTABLISHED, RELATED-jACCEPT7, check your firewall rules and add a rule and then save the rule root @ linux-tys root] # iptables-L – v-----v displays additional information about network interfaces root @ linux-tys root] # iptables-APRIV-ptcp-dany/0--dport23-jACCEPTroot @ linux-tys root] # iptables-save > custom.txt or following command saves the root @ linux-tys root] # iptables-save >/etc/sysconfig/iptables---saved rules to/etc/syscofig/iptables, and since the start.
No comments:
Post a Comment