High-performance LINUX dual-effect firewall HOWTO

Package filtering and WEB Proxy are both effective and effective. The iptables is used to implement packet filtering. in LINUX, the famous squid and NAT are used to implement transparent WEB Proxy. The performance of SQUID proxy itself is already a leader in proxy servers. The system puts its performance to the extreme level: Through ramdisk technology, SQUID enables the web page cahce to the memory. In this way, the webpage you visit will come from the memory in the future except for the first time you need to retrieve it from the network! The following describes how to use redhat 7.2 for implementation. (1) Select a relatively stable computer with two NICs, 256 or MB of memory, and 10 Gb of hard disk. Note: The first Nic is connected to the Intranet, and the second Nic is connected to the Internet .) (2) install red hat 7.2, select server mode during installation, and automatically Partition (3) After about 10-15 minutes, the system is installed. After restarting, enter the system and configure the system. 1. enable packet forwarding Edit/etc/sysctl. conf, set net. ipv4.ip _ forward = 0 to net. ipv4.ip _ forward = 1, and save the modification. The purpose is to allow the Linux kernel to forward IP Packets: Allow IP packets to pass through one network interface to another. Only in this way can the System Act as a packet filtering firewall. 2. Activate RamDisk Modify/etc/grub. conf #boot=/dev/sdadefault=0timeout=10splashimage=(hd0,0)/grub/splash.xpm.gztitle Red Hat Linux (2.4.7-10) root (hd0,0) kernel /vmlinuz-2.4.7-10 ro root=/dev/sda6 ramdisk=268435 initrd /initrd-2.4.7-10.img Here, ramdisk = 268435 is the content we want to add. The purpose is to tell the system that the default ramdisk size is 268435 k, that is, 256 M. Note that you cannot write 256 M directly, so the system does not know it. You must change it to K! I have been exploring for several months !), After restart, the system will automatically generate a m virtual disk. Of course, you need to set this parameter based on your memory size. If you do not run XWINDOWS, it is okay to set half of your total memory, because the LINUX system itself does not need a lot of memory. 3. Set squid Parameters Edit/etc/squid. conf and add the following entries to the end: httpd_accel_host virtualhttpd_accel_port 80httpd_accel_with_proxy onhttpd_accel_uses_host_header onhttp_access allow allcache_dir ufs /squid 256 16 256 The preceding four parameters enable squid to provide transparent proxy. "Http_access allow all" indicates that all client machines are allowed to access the proxy. Here, we particularly emphasize the last "cache_dir ufs/squid 256 16 256 ", The default cache_dir of squid is "/var/spool/squid". Because we want squid to cache the content to the memory, change it to/squid first, next, you need to shadow ramdisk to the/squid directory. 4. Create a ramdisk. Run the following two commands: 1) Create the directory "/squid" by mkdir/squid 2) create a file system by mkfs/dev/ramdisk 3) mount/dev/ramdisk/squid to mount the ramdisk to the/squid directory. Since ramdisk disappears after each restart, we can create a batch command to automatically load ramdisk during system startup: mkfs /dev/ramdiskmount /dev/ramdisk /squid Write these two commands to a file. For now, we use myautoexec. bat is used as the file name. For convenience, we create the/admin directory and then set myautoexec. the bat file is saved in/admin and assigned executable permissions: chmod + x myautoexec. bat However, the system will not be called when it is started, so we have to do one thing: edit/etc/rc. local file, insert a line at the end of the file:/admin/myautoexec. bat. In this way, the system will automatically call myautoexec. bat. 5. initialize squid. Do you still remember the parameter "cache_dir ufs/squid 256 16 256? The initialization process is actually that squid creates the specified level-1 directory in the specified cache_dir. Here is 16), and then 256 level-2 directories are created in each level-1 directory. The command used is "squid-z ". However, an error will be reported when you enter the command system. Because the owner of/squid is root and squid does not have the permission to operate the root file, you must first assign the/squid directory to the squid user, use "chown squid. squid/squid ". Run "squid-z" again, which can be completed in less than one second. If this process is performed on a disk rather than on a ramdisk, it usually takes dozens of seconds. Similarly, you must set chown squid.squid /squidsquid –z The two commands are written to myautoexec. bat, and the last "squid" is added to start the squid service process. So far, squid settings are complete. 6. Set NAT and firewall rules. For convenience, create the file/admin/myfirwall and write the rules to the file: # ------ Initialize some internal computers with iptables-Fiptables-t nat-Fmodprobe ip_tablesmodprobe iptable_natmodprobe Cannot initialize ipt_state # -- initialization ends #-start nat <set IP address to 10.27.0.0/16 it can disguise the internet. Iptables-t nat-a postrouting-o eth1-s 10.3.37.0/24-j MASQUERADE #>>>>> end NAT # port conversion, forward all requests sent to the Internet from port 80 to port 3128 for processing by squid, this # -- Key to transparent proxy <iptables-t nat-a prerouting-I eth0-d! 10.27.0.0/16-p tcp-m tcp \ -- dport 80-j REDIRECT -- to-ports 3128 # >>>>>>> end port conversion # firewall rules <<according to your requirements, set iptables-a input-I eth1-s 0.0.0.0/0-p ICMP-j DROPiptables-a input-I eth1-s 0.0.0.0/0 -p TCP-port! 80-j DROP # both of the above discard all ping packets from the Internet, and discard all requests not from port 80 # initiated from the Internet, this means that only ping from the Internet to the Intranet is not allowed, and only the Internet is allowed to access the # HTTP service on the Intranet. The complete firewall rules should be formulated according to your network security requirements. Here is only for reference. Note: All the lines starting with # indicate that they do not need to be written into files. Save them as/admin/myfirewall and run them with "chmod + x/admin/myfirewall. Edit/admin/myautoexec. bat and add "/admin/myfirewall" to the last line. So far, all of our good performance firewalls have been configured. After restarting reboot, we can work.