Build a soft route using the Linux firewall

Article Title: Use Linux firewall to build a soft route. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
This article describes how to use the Firewall software package provided by Linux to build a soft route. this method provides a simple and secure way to interconnect the intranet with the external network. The built-in Firewall of Linux builds a soft route, which mainly controls access permissions through IP addresses, which is more convenient than the general agent service software.
　　
I. firewall
　　
The term "firewall" is used in computer networks to protect intranets from illegal intrusion from external networks. it is a policy that uses IP packet filtering programs at the network layer and some rules to protect intranets, hardware implementation and software implementation.
　　
The computer running the firewall (hereinafter referred to as the firewall) connects both the external network and the intranet. In general, intranet users cannot directly access the external network, and vice versa. If an intranet user wants to access an external network, he must first log on to the firewall and switch the IP address of the firewall before sending it to the external network. that is, when the intranet machine passes the firewall, source IP addresses are set (disguised or spoofed) as valid external IP addresses. After disguise, in the external network view, the intranet machine is a machine with a valid IP address, so it can communicate. When an external network user wants to access an intranet user, he must first log on to the firewall. after filtering, only the permitted services are used.
　　
It can be seen that the firewall plays two roles between the intranet and the external network:
　　
(1) IP packet filtering-protection;
　　
(2) routing-network interconnection.
　　
II. firewall installation
　　
1. hardware installation
　　
Two NICs, one Nic, and one Modem card must be installed on the computer running the Linux firewall. This article takes two NICs as an example. Install the NIC, correctly set the interrupt number and port number, and assign an appropriate IP address to each Nic.
　　
Configure the firewall model.
　　
2. install the Gateway
　　
There are two ways to install the Gateway: one is to run linuxconf, enter the ROUTINGANDGATEWAYS option, configure the gateway, and the other is to modify the rc. inet1 file. The following describes how to modify the rc. inet1 file to install the gateway.
　　
Go to the/etc/rc. d/directory, type virc. inet1, and press Enter. modify the parameters as follows:
　　
IPADDR = "202.114.194.130" # external IP address of the first card
　　
NETMASK = "000000000000128" # External subnet mask of the first card
　　
NETWORK = "202.114.194.0" # external NETWORK segment of the first card
　　
BROADCAST = "202.114.194.255" # external network BROADCAST address of the first card
　　
GATEWAY = "202.114.194.129" # the external network GATEWAY of the first card.
　　
Default Gateway
　　
IPADDR1 = "192.168.0.1"
　　
# Intranet IP address of the second card
　　
NETMASK1 = "255.255.255.0"
　　
# Intranet subnet mask of the second card
　　
NETWORK1 = "192.168.0.0"
　　
# Intranet segment of the second card
　　
BROADCAST1 = "192.168.0.255"
　　
# Intranet broadcast address of the second card
　　
/Sbin/ifconfigeth0 $ {IPADDR}
　　
Broadcast $ {BROADCAST} metmask $ {NETMASK}
　　
# Set the first card
　　
/Sbin/ifconfigeth1 $ {IPADDR1}
　　
Broadcast $ {BROADCAST1} metmask $
　　
{NETMASK1}
　　
# Set the second card
　　
/Sbin/routeadd-net $ {NETWORK}
　　
Netmask $ {NETMASK}
　　
/Sbin/routeadddefaultgw $
　　
{GATEWAY} metric1
　　
/Sbin/routeadd-net $ {NETWORK1}
　　
Netmask $ {NETMASK1}
　　
To test the Gateway settings, run the "ifconfig" command to test the settings. after running the command, eth0 and eth1 are displayed and the modified content is displayed. If no such information is displayed, it indicates that the settings are incorrect and you have to try again.
　　
3. build a soft route
　　
1. ip address conversion
　　
IP address translation is also known as IP address disguise or IP address spoofing. that is, when an intranet machine logs on to the firewall, the firewall forwards the intranet IP address (an invalid external IP address) disguise as a valid external network IP address and communicate with the external network. The command format for IP address camouflage is as follows:
　　
Ipfwadm-F-amasquerade-D0.0.0.0/0-Weth0
　　
"-D0.0.0.0/0" indicates that all intranet IP addresses can be converted, and "-Weth0" indicates that intranet IP addresses are converted through Nic 1.
　　
After completing the IP address disguise settings, you can ping the external network machine on the intranet machine. if forwarding on the firewall is not disabled, you can ping the machine, indicating that the configuration is correct.
　　
2. set the permission to access the external network
　　
In order to enhance network management, some restrictions are sometimes imposed on intranet access to external networks. These restrictions include: (1) which machines are allowed to access the Internet; (2) which sites are allowed to access.
　　
To restrict internet access to a machine, refer to the following script:
　　
Ipfwadm-F-pdeny # deny intranet machine access
　　
Ipfwadm-F-am-S192.168.0.5/32
　　
-D0.0.0.0/0 # Allow 192.168.0.5
　　
External network access
　　
Restrict access to the site. you can set it as follows:
　　
Ipfwadm-O-ireject-D0.0.0.0/0
　　
# Add all sites on the external network
　　
Reject
　　
Ipfwadm-O-iaccept-D202.114.0.0/16
　　
# Allow access to 202.114.0.0 ~
　　
All sites within 202.114.255.255
　　
In the preceding settings, "0.0.0.0/0" indicates all URLs, and "202.114.0.0/16" indicates all websites from 202.114.0.0 to 202.114.255.255.
　　
3. collect IP packet traffic
　　
The traffic accounting settings for IP packets are as follows:
　　
Ipfwadm-A-f
　　
/Sbin/ipfwadm-A-f
　　
/Sbin/ipfwadm-Aout-I-S192.168.0.0
　　
/32-D0.0.0.0/0
　　
# For all outgoing packets
　　
Statistics
　　
/Sbin/ipfwadm-Ain-I-S192.168.0.0
　　
/32-D0.0.0.0/0
　　
# For all inbound packages
　　
Statistics
　　
The accounting statistics are stored in the/proc/net/ip_acct file, and all the IP addresses are in hexadecimal notation.
　　
All the above scripts can be placed in the/etc/rc. d file, or a shell script can be set up separately and executed using the command sh.
　　
The above settings are all run on RedHat5.1.