Although the Linux operating system has many advantages, their safety is also high, but you should not produce a false sense of security which, because of your Linux system's security is still likely to be damaged.Now let us see how to use the IP chain (IPchains) to create a Linux firewall, protecting your system from damage.
Assuming you already have some basic knowledge on the Internet.It should be said, are familiar with, like IP address, TCP port and network transmission of data and the like is useful vocabulary.The firewall to have a general understanding is also very necessary.
■ command:
Since we need to establish a series of rules, so to enter the IP chain, and down the network path.Each rule are placed in one of the three chains, the three chains are: storage of input data input chain, the output of the output data storage and transmission chain, chain.
Each additional rule, we must start from the IP chain, and to increase some or all of the following steps.Additional (Append), delete (Delete), insert (Insert) and replacement (Replace), these commands are usually followed the chain of command after the start of the IP, and the rules of command directs the program should be added to the chain on which and how to add.When added to-A,-D, - I, or-R start, these letters followed by the name of the chain (input or output chain, chain).
When you want to use the Insert command, must be in the position to join the order, in the chain after the name, specify the line number.
When using the Replace command, you specify the line number to be replaced, use the delete command, but also must specify the number of rows deleted.
Using the delete option, no need to re-enter the line number followed what other content.You just type the ipchains-L, you can find the role of the order line number.
■ Protocol (Protocol):
Here you have to order specifically for each rule to indicate some sort of agreement.In most cases, the use of TCP / IP protocol.
Also possible that you do not want your computer to another computer Ping signal is sent to respond.To do this, you need to specify ICMP (Internet Control Message Protocol).Specify a protocol in a specific time, to use the-p command, such as:-p icmp.
■ source (Source):
Source can determine the IP address from a particular path from and use the port-s command.If you know a standard IP address, IP address can be used directly, or simply specify a domain name (such as www.ccidnet.com).If you want to specify any address, may wish to use 0.0.0.0 / 0.
We can use the IP address behind the numbers to specify a certain port (eg 110), can also use the name of the server (pop3) to specify a particular port.Use a colon to separate the two port numbers, so you can specify a series of ports.For example:
-S mail.mailserver.com pop3
-S 127.0.0.1 139:164
■ Objective (Destination):
Use the source address is the same, as long as the destination address and port can be specified.
■ Jump (Jump):
We need to understand the last option is the-j command.This command tells the firewall, if a rule command and input data are matched, the firewall, what steps should be taken.In most cases, this step is accepted or rejected.Give you an example, if you want to reject a set of data consistent with the command, the firewall to jump to refuse.If a set of data does not meet the rules of a command, the data will move forward into the next command.If you do not comply with any rules, then this set of data, the data will be in the default state is rejected.
Of course there are some other options and commands to work with IP-chain command.If you want to understand more information, you can type in the command line ipchains-h.
Establishment of a firewall
Linux firewall to establish the core of the system is close to what you want to access your server at the same time, but also to prevent other server close to your system.Here we offer some advice.
First, you set up your firewall to make all the "refusal" rule using the-I command.When a rule to block out a set of data when a line of information is generated, added to the core of your program information record (variable / record / kernel / information).You can read this file to understand why a group of data will be blocked out.Record details the steps being taken, could explain the source and destination of a rule chain, the source address and port and destination address and port, so you can use this information to adjust the firewall.According to the way you want to own anything, then they no longer need-I command.
Secondly, a firewall can block all the data into the Syn.Syn data is used to start the linked data set, but they should not appear in most of the desktop system.-Y command can be used:
ipchains-I input 1-p tcp-y-j DENY
You can also use the following command to block ICMP data:
ipchains-I input 2-p icmp-j DENY
On top of these two rules, we can guarantee the system will not just receive these data.Next, the block such as ftp, telnet, smtp and pop3 like some commonly used server port:
ipchains - A input-p tcp - s 0.0.0.0 / 0 ftp DENY
ipchains - A input-p tcp - s 0.0.0.0 / 0 telnet DENY
ipchains - A input-p tcp - s 0.0.0.0 / 0 smtp DENY
ipchains - A input-p tcp - s 0.0.0.0 / 0 pop3 DENY
ipchains - A input-p tcp - s 0.0.0.0 / 0 nntp DENY
If you send mail server connection problem in the smtp and pop3 DENY insert a rule before the rules, so that they can rule out the role of the so-called DENY.However, to ensure the clarity of this rule because it failed to make the DENY rules.In general, explicitly specify a IP address is a good practice:
ipchains - I 3 input - 1 - p tcp - s mail.mailserver.com pop3 - j ACCEPT
ipchains - I 4 input - 1 - p tcp - s mail.mailserver.com smtp - j ACCEPT
Can you send e-mail address of the server alternative name "mail.mailserver.com", for a new server or any of the links are difficult to FTP site, can do so.
Although these rules are basic in nature, but contribute to a safe and effective firewall.We can like the Gibson Research Center (http://www.grc.com) and DSL Reports (http://www.secure-me.net/) site inspection firewall like the safety and effectiveness.The above two sites are free to provide information on the Internet port query.Once you find a useful rule to use ipchain-save command to save these rules to a file.
When you restart the system can use this time to save the rules file.Type ipchains-save/etc/ipchains.rules firewall settings can save the data.Restart your system in the post to keep the settings on the firewall, type ipchains-restore/etc/ipchains.rules.When your system is powered down or restarted, Linux system does not automatically save the settings data.