Build a soft route using the Linux Firewall

Source: Internet
Author: User

This article describes how to use the Firewall software package provided by Linux to build a soft route. This method provides a simple and secure way to interconnect the Intranet with the external network. The built-in Firewall of Linux builds a soft route, which mainly controls access permissions through IP addresses, which is more convenient than the general agent service software.
I. Firewall
The term "firewall" is used in computer networks to protect intranets from illegal intrusion from external networks. It is a policy that uses IP packet filtering programs at the network layer and some rules to protect intranets, hardware Implementation and software implementation.
A computer running the firewall is called a firewall. It connects both the external network and the Intranet. In general, Intranet users cannot directly access the external network, and vice versa. If an intranet user wants to access an external network, he must first log on to the firewall and switch the IP address of the firewall before sending it to the external network. That is, when the Intranet machine passes the firewall, source IP addresses are both set, disguised, or spoofed) as valid external IP addresses. After disguise, in the external network view, the Intranet machine is a machine with a valid IP address, so it can communicate. When an external network user wants to access an intranet user, he must first log on to the firewall. After filtering, only the permitted services are used.
It can be seen that the firewall plays two roles between the Intranet and the external network:
(1) IP packet filtering-protection;
(2) routing-network interconnection.
Ii. Firewall Installation
1. hardware Installation
Two NICs, one Nic, and one Modem card must be installed on the computer running the Linux firewall. This article takes two NICs as an example. Install the NIC, correctly set the interrupt number and port number, and assign an appropriate IP address to each Nic.
Configure the firewall model.
2. Install the Gateway
There are two ways to install the Gateway: one is to run linuxconf, enter the ROUTINGANDGATEWAYS option, configure the gateway, and the other is to modify the rc. inet1 file. The following describes how to modify the rc. inet1 file to install the gateway.
Go to the/etc/rc. d/directory, type virc. inet1, and press Enter. Modify the parameters as follows:
IPADDR = "202.114.194.130" # external IP address of the first card
NETMASK = "000000000000128" # external subnet mask of the first card
NETWORK = "202.114.194.0" # external NETWORK segment of the first card
BROADCAST = "202.114.194.255" # external network BROADCAST address of the first card
GATEWAY = "202.114.194.129" # The external network GATEWAY of the first card.
Default Gateway
IPADDR1 = "192.168.0.1"
# Intranet IP address of the second card
NETMASK1 = "255.255.255.0"
# Intranet subnet mask of the second card
NETWORK1 = "192.168.0.0"
# Intranet segment of the second card
BROADCAST1 = "192.168.0.255"
# Intranet broadcast address of the second card
/Sbin/ifconfigeth0 $ {IPADDR}
Broadcast $ {BROADCAST} metmask $ {NETMASK}
# Set the first card
/Sbin/ifconfigeth1 $ {IPADDR1}
Broadcast $ {BROADCAST1} metmask $
{NETMASK1}
# Set the second card
/Sbin/routeadd-net $ {NETWORK}
Netmask $ {NETMASK}
/Sbin/routeadddefaultgw $
{GATEWAY} metric1
/Sbin/routeadd-net $ {NETWORK1}
Netmask $ {NETMASK1}
To test the gateway settings, run the "ifconfig" command to test the settings. After running the command, eth0 and eth1 are displayed and the modified content is displayed. If no such information is displayed, it indicates that the settings are incorrect and you have to try again.
3. Build a soft route
1. IP address conversion
IP address translation is also known as IP address disguise or IP address spoofing. That is, when an intranet machine logs on to the firewall, the firewall forwards the Intranet IP address (an invalid external IP address) disguise as a valid external network IP address and communicate with the external network. The command format for IP address camouflage is as follows:
Ipfwadm-F-amasquerade-D0.0.0.0/0-Weth0
"-D0.0.0.0/0" indicates that all Intranet IP addresses can be converted, and "-Weth0" indicates that intranet IP addresses are converted through Nic 1.
After completing the IP address disguise settings, You can ping the external network machine on the Intranet machine. If forwarding on the firewall is not disabled, You can ping the machine, indicating that the configuration is correct.
2. Set the permission to access the external network
In order to enhance network management, some restrictions are sometimes imposed on Intranet access to external networks. These restrictions include: (1) which machines are allowed to access the Internet; (2) which sites are allowed to access.
To restrict Internet access to a machine, refer to the following script:
Ipfwadm-F-pdeny # deny Intranet Machine Access
Ipfwadm-F-am-S192.168.0.5/32
-D0.0.0.0/0 # Allow 192.168.0.5
External Network Access
Restrict access to the site. You can set it as follows:
Ipfwadm-O-ireject-D0.0.0.0/0
# Add all sites on the external network
Reject
Ipfwadm-O-iaccept-D202.114.0.0/16
# Allow access to 202.114.0.0 ~
All sites within 202.114.255.255
In the preceding settings, "0.0.0.0/0" indicates all URLs, and "202.114.0.0/16" indicates all websites from 202.114.0.0 to 202.114.255.255.
3. Collect IP packet traffic
The traffic accounting settings for IP packets are as follows:
Ipfwadm-A-f
/Sbin/ipfwadm-A-f
/Sbin/ipfwadm-Aout-I-S192.168.0.0
/32-D0.0.0.0/0
# For all outgoing packets
Statistics
/Sbin/ipfwadm-Ain-I-S192.168.0.0
/32-D0.0.0.0/0
# For all inbound packages
Statistics
The accounting statistics are stored in the/proc/net/ip_acct file, and all the IP addresses are in hexadecimal notation.
All the above scripts can be placed in the/etc/rc. d file, or a shell script can be set up separately and executed using the command sh.
The above settings are all run on RedHat5.1.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.