Linux Engineer Study Notes 14: Network Security

The role of the firewall: worrying too much between the two network packets
Linux Kernel Netfilter
102.168.0.22:53 (allow)
But at that time to the INPUT chain, there was no one with its match, it will be refused. So if at the same time as the DNS server and client need to add the following rules:
# iptables-A INPUT-p udp - dport 53-j ACCEPT
# iptables-A OUTPUT-p udp - sport 53-j ACCEPT
At the same time as when a service client and the client, the rules need to add two rules, that is, source port and target port.
Ignored the rules of the current settings of the machine's internal services, there are a lot of the local guardian in 127.0.0.1 port, when the local loop of the client access device will be refused.
The services, such as 127.0.0.1 does not open, will affect the machine's normal operation of the internal service, open the server, it will not cause any harm, so the best is still open:
# iptables-A INPUT-s 127.0.0.1-j ACCEPT
# iptables-A INPUT-d 127.0.0.1-j ACCEPT
# service iptables save (save labor)

FORWARD chain through the packet is not sent to the machine, but sent to others, as when a router must be configured to use FORWARD chain. Configuration is a router, such as allowing users to browse the Web LAN configuration method and the same INPUT.OUTPUT.
# iptables-A FORWARD-s 10.0.0.0/24-j ACCEPT to allow local area network to send data packets
# iptables-A FORWARD-d 10.0.0.0/24-j ACCEPT to allow local area network to receive packets
This is equivalent to the LAN and the Internet open up any package can be passed, in practice can be combined with the use of ports, some restrictions on some of the data packet filter can also be added using the LOG target logs. In fact, open the FORWARD chain is not enough light, but also need to forward the file to open the kernel.
# echo 1> / proc/sys/net/ipv4/ip_forward (defaults to 0)
0 said closed forward, 1 for the opening of a permanent opening to modify configuration file / etc / sysctl.conf:
net.ipv4.ip_forward = 1
For access to the Internet, so that the configuration is not enough, because the private addresses can not directly access the Internet, where we do network address translation NAT, when the two networks need to address, a LAN, an Internet, when the received access to the Internet The package will replace the source address for the Internet address.
# iptables-t nat-L-n to view the content of nat table

Netfilter's NAT table:
Chain used for the three packet filtering
Translation is also used to address three chains are commonly used in PREROUTING, POSTROUTING


SNAT (source NAT)








Before the packet into the kernel, first of all, the point of entering the PREROUTING, and then processed into the core, that is, the ROUTING, if packets are not sent to the machine, and the kernel forwarding is enabled, then data packets from the core will FORWARD, and then POSTROUTING. If you let the packet through FORWARD, POSTROUTING this package can do this point to replace the source address, and can only be done at this point, this is a mechanism for the kernel, so the packet source address is the point after POSTROUTING after the change.

DNAT (destination address translation)
Packet entering, the first to enter the PREROUTING. Then the kernel will ROUTING packet destination address in accordance with the decision chain from the INPUT or FORWARD chain walk away. Therefore, the destination address the packet is very important. Can be done in the PREROUTING replace the destination address.



SNAT Application







Gateway has two network cards to connect two hosts, respectively, or two networks.
# iptables-t nat-A POSTROUTING-s 10.0.0.0/24-j SNAT - to-source 192.168.0.254
The source address of 10.0.0.0/24 package to replace the source address for 192.168.0.254, If this is a dial-up ADSL gateway, you can bring the entire Internet, LAN
# iptables-t nat-A POSTROUTING-s 10.0.0.0/24-j MASQUERADE
Some people will want to how to return packets? In fact, will be translated into 192.168.0.254 packet source address, 192.168.0.1 in response to a data packet to the server the server will be identified, then the server will automatically restore the translation of the address, and then returned to 10.0.0.241. Gateway to do so when, as long as the increase in SNAT, and then meet in front of the filtering rules can be assigned a secure and powerful firewall, router functions at the same time.





Application DNAT








Generally used to do DNAT Application DMZ, to protect the internal LAN
Such as 192.168.0.1 as a Web server, 10.0.0.254 host 10.0.0.241 access gateway, the gateway to the request sent to 192.168.0.1, so that played a role in the protection of Web servers
# iptables-t nat-A PREROUTING-d 10.0.0.254-p tcp - dport 80-j DNAT - to-destination 192.168.0.1
Will visit 80 ports gateway packet destination address translation, or 192.168.0.1, this was originally sent to the local data packets will be transmitted out from the FORWARD chain.
Web server in-house, after its receipt of the request in response to outsourcing data gateway, and then return to 10.0.0.241. This put the protection of the internal hosts to the outside only to see that Taiwan's gateway server, so NAT application of a very wide and very strong, more help and presentation can be found www.netfilter.org

Patching software, first of all import gpg public key file to use, and then check the validity of patch files.
# bzcat 9.3.0-patch | patch-p0
Generally required to search inside the document directory and then renamed the directory software.