Linux-based Router and firewall configuration

Linux-based Router and firewall configuration

Author: He liqiang

With the increasing popularity of Internet applications, free network operating system Linux has attracted more and more network enthusiasts. Through simple installation, people can obtain multiple network services provided by Linux, such as domain name services, email services, and anonymous FTP services. It also provides the xwindows System of the graphics workstation. It can be said that Linux already has all the functions of the network server. Here, I would like to talk about the use of Linux on the other hand, that is, connecting Linux as a router to two different network segments and configuring the firewall on it, to achieve network access control and traffic statistics.

To enable a Linux PC to have a router function, you must first configure the hardware. A pc named router is installed with a Linux system and has two NICs. Each Nic is connected to a different CIDR block. The router forwards IP packets between the two CIDR blocks. To prevent two NICs from being interrupted, the NIC driver is required.ProgramSet the interrupt value to different values. In practice, I set the disconnections and I/O addresses to 3, 0x300 h and 4, 0x320 h respectively.

After the hardware configuration is complete, you must configure the software. In normal installation mode, the Linux system does not have the router function. Therefore, you must reinstall the Linux kernel. For Linux of slackware, the kernel reconfiguration process is as follows:

1. # cd/usr/src/Linux

/* Enter the LinuxSource codeTarget */

2. # Make config

/* Configure compilation options */

In this step, the system provides some options during the compilation process for you to choose based on your actual situation. For uncertain options, you can select the system default value. The following prompt appears in the network compilation query:

Network Firewall [Y/n]?

/* Does the Kernel support firewall */

......

TCP/IP networking [N/y]?

/* Whether the host is connected to the TCP/IP Network */

IP: Forwarding/gatewaying [N/y]?

/* Whether the host forwards the database or acts as a gateway */

......

IP: firewalling [Y/n]?

/* Set firewall in TCP/IP Network */

IP: Firewall packet logging [Y/n]?

/* Whether to register data packets on the firewall */

......

IP: accounting [Y/n]?

/* Whether to account for data packets */

IP: optimize as router not host [Y/n]?

/* Set the host to a vro */

......

IP: multicats ROUTIG [Y/n]?

/* Whether the router broadcasts route information externally */

Because we want to configure this host as a router and set a firewall on it, we choose "Y" for these options ".

3. # Make Dep

/* Prepare for compilation based on the Compilation options */

4. # Make zlmage

/* Start to compile the kernel and name the compiled Kernel File zlmage */

The compiled kernel is stored in the "/usr/src/Linux/ARCH/i386/Boot" directory. After the system's original kernel backup, you can copy the file to the root directory and rename it "vmlinuz" to run "lilo" to make it take effect at the next startup.

After restructuring the kernel, you need to set the TCP/IP of the two NICs so that they can effectively connect two different network segments and forward IP packets in the two network segments. The procedure is as follows:

1. For ne2000 compatible NICs, modify the "/etc/rc. d/rc. Modules" file;

/Sbin/modprobe ne IO = 0x320, 0 x

/* Identify two NICs */

2. Modify the "/etc/rc. d/rc. inetl" file and set the IP address and mask of the two NICs and the route to the two NICs.

Information;

Ipaddr = "202.207.0.27"

Network = "202.207.0.0"

Broadcast = "202.207.0.255"

Ipaddr1 = "202.207.7.2"

Network1 = "202.207.7.0"

Broadcast1 = "202.207.7.255"

Netmask = "255.255.255.0"

/Sbin/ifconfig eth0 $ {ipaddr} broadcast $ {broadcast} netmask $ {netmask}

/Sbin/ifconfig eth1 $ {ipaddr1} broadcast $ {broadcast1} netmask $ {netmask}

/Sbin/route add-net $ {network} netmask $ {netmask} eth0

/Sbin/route add-net $ {Network1} netmask $ {netmask} eth1

3. modify "/etc/rc. d/RC. in the inet2 file, open a comment on "routed server" so that it can exchange route information with other routers and forward IP packets.

# Start the routed Server

If [-F $ {net}/routed]; then

Echo-n "routed"

$ {Net}/routed-g-S

/* Start the program */

Fi

4. Add a line to the "/etc/Lilo. conf" file so that it can identify the second nic at startup.

Append = "Ether = 320 x, ethl"

After completing the above settings, restart the computer. The system will identify two NICs and follow "/etc/rc. d/RC. the description in the intel file sets the IP address and mask of the NIC. After the startup is complete, enter the system as the root user, and enter the following command to view the nic and route information.

# Ifconfig/* display the NIC details */

# Route

/* Display the system route table */

I have connected the PC in the LAN of the student room to the campus network through a Linux router, and further connected to the Internet through the campus network. In addition, I have configured a firewall on the Linux router. Practice has proved that the firewall effectively controls students' access to illegal IP addresses and successfully records the network traffic of each IP address, providing a basis for billing and network management. For Linux firewall configuration, you can use simple commands one by one, or write Shell programs to automatically execute them in the startup directory of the system. The command format is very simple. The example is as follows:

# Ipfwadm-

/* Account for all data packets sent through the vro */

# Ipfwadm-I-A accept-s 162.105.0.0/16

/* Accept all data packets from the 162.105.0.0 Network */

# Ipfwadm-I-a deny-s 159.226.0.0/16

/* Discard all data packets from the 159.226.0.0 Network/

# Ipfwadm-o-a reject-s 210.32.0.0/12

/* Discard all data packets sent to the 210.32.0.0 network and send the rejection packet to the requester */

You can configure the firewall as needed to achieve the desired effect.