The Design And Implementation Of Firewall Based On Linux

With the development of Internet,the Internet brought us convenient and efficient life while also accompanied by a variety of network security issues.In recent years,a variety of network security incidents continue to erupt as 12306 leaks,The Background of Prism event.This security issues are warning us that we should not ignore the importance of network security.Firewall as a major way to prevent network attacks,is often used to prevent illegal connections and the internal network from insafe networks segmented.Linux Packet Filtering Firewall filters packets based on iptables bracelet rule,iptables embodies the security policy of servers.The defense capability of our Linux firewall is directly affected by the quality of our filtering rules.Linux provides us with a firewall frame--Netfilter,we can use iptables to realize the firewall function based on Netfilter frame.Iptables also provides powerful log functions,which can help us to record a variety of information,so that we can detect network attacks according to the log information,and according to the log we can improve our iptables rules and help to configure a more secure Linux firewall.Based on the demand for personal computer firewall,we can design and implement a Linu operating system based stateful inspection packet filtering firewall by using the tool—Netfilter/Iptables.and finally by using SSH Secure Shell and other testing tools and method,we verify the firewall The safety and efficacy.Specific research contents and results are as follows:Based on netfilter/iptables of firewall system,we achieve the state detection function of the common protocol packet through the IP filtration system.Compare with common packet filtering firewall,by using state detection function we can reduce waste of resources and delay.Because common packet filtering firewall need to examine each packet header,thus the state detection can greatly reduce the overhead additional spending of firewall that build in the linux.In connection with the demand of Linux hosts,we analyze the principle and methods of the DDoS attack,by analyzing and adjusting each file of / proc directory under the Linux host,and by using netfilter/iptables IP packet filter system,we can add some appropriate rules chain for users,designing and implementing an DDoS module against the SYN Flood,ping Flood and port scan attack.Finally,through testing,the firewall can resist most of DDoS attacks,and have a less impact on the performance of Linux hosts.