Building soft routes with Linux firewalls

This paper introduces a method of using Linux firewall software package to construct soft routing, which provides a simple and safe way to interconnect intranet and extranet. Linux firewall built soft routes, mainly through IP address to control access, more general agent service software has more convenient place.

First, the firewall

The word firewall is used in the computer network is used to protect the intranet from the external network of illegal intrusion device, it is the use of Network layer IP packet filtering procedures and some rules to protect the internal network of a strategy, hardware implementation, there are software implementation.

The computer running the firewall (the firewall below) connects both the external network and the intranet. In general, users of the intranet cannot access the extranet directly, or vice versa. If the intranet user wants to access the extranet, must first login to the firewall, the IP address by the firewall after the conversion, and then sent by the firewall to the external network, that is, when the intranet machine through the firewall, the source IP address is set (or disguised, or deceptive) into the external network legitimate IP address. After camouflage, in the external network view, the intranet machine is a legitimate IP address of the machine, and thus can communicate. External network users to access the intranet users, but also to log in to the firewall, after filtering, only through the allowed services.

This shows that the firewall between the internal network and the external network played a role in two:

(1) IP packet Filtering--protection function;

(2) Routing-network Interconnection.

Second, the installation of the firewall

1. Hardware Installation

On a computer running a Linux firewall, you must have two network cards or a network adapter, a modem card installed. This article takes two network cards as an example. Install the network card, set the interrupt number and port number correctly, and assign the appropriate IP address for each network card.

Configure a later firewall model.

2. Install Gateway

There are two ways to install a gateway: one is to run linuxconf, enter the routingandgateways option, configure the gateway, and the other is to modify the Rc.inet1 file. Here's how to modify the Rc.inet1 file by installing the gateway.

Enter the/etc/rc.d/directory, type Virc.inet1 carriage return, and refer to the following modifications:

Ipaddr= "202.114.194.130" # The external network IP address of the first card

Netmask= "255.255.255.128" # The outer net mask of the first card

Network= "202.114.194.0" # The external network segment of the first card

Broadcast= "202.114.194.255" # The external network broadcast address of the first card

Gateway= "202.114.194.129" # The first card of the external network gateway, is also

Default Gateway

ipaddr1= "192.168.0.1"

# The Internal network IP address of the second card

netmask1= "255.255.255.0"

# The Inner net mask of the second card

network1= "192.168.0.0"

# The Internal network segment of the second card

broadcast1= "192.168.0.255"

# The Internal network broadcast address of the second card

/SBIN/IFCONFIGETH0${IPADDR}

Broadcast${broadcast}metmask${netmask}

# Set the first block card

/SBIN/IFCONFIGETH1${IPADDR1}

broadcast${broadcast1}metmask$

{NETMASK1}

# Set the second block card

/sbin/routeadd-net${network}

Netmask${netmask}

/sbin/routeadddefaultgw$

{Gateway}metric1

/SBIN/ROUTEADD-NET${NETWORK1}

NETMASK${NETMASK1}

To test the gateway settings, you can use the "ifconfig" command to test, after running the command, will display eth0 and eth1 and the above we modify the relevant content, if not show the relevant information, the setting is not correct, but also to do it again.

Third, the construction soft route

1.IP Address Translation

IP address Translation is also known as IP address camouflage or IP address spoofing, which means that when an intranet machine logs on to a firewall, the firewall disguises the intranet IP (an illegal extranet IP address) as a legitimate external network IP address, and then communicates with the external network. The IP Address Camouflage command format is as follows:

Ipfwadm-f-amasquerade-d0.0.0.0/0-weth0

where "-d0.0.0.0/0" indicates that all intranet IP addresses are allowed to be converted, "-weth0" means that the intranet IP address is converted through the NIC 1.

After the IP address camouflage is set up, you can ping the external network machine on the intranet machine, and if the forwarding on the firewall is not closed, you can ping it, stating that the configuration is correct.

2. Set permissions to access the external network

In order to strengthen the management of the network, there are some restrictions on intranet access to the extranet, which include: (1) which machines are allowed to access the Internet, and (2) which sites are allowed to access.

The following script can be used to restrict the Internet machine:

ipfwadm-f-pdeny# all refuse intranet machine to surf the net

Ipfwadm-f-am-s192.168.0.5/32

-d0.0.0.0/0# allows the 192.168.0.5 machine to

Access to external networks

To restrict access to a site, you can set this:

ipfwadm-o-ireject-d0.0.0.0/0

# to all sites on the extranet

Refused

Ipfwadm-o-iaccept-d202.114.0.0/16

# Allow access to 202.114.0.0~

All sites within the 202.114.255.255

In the above settings, "0.0.0.0/0" represents all URLs, and "202.114.0.0/16" represents all sites 202.114.0.0 to 202.114.255.255.

3. Statistics IP Packet Traffic

The IP packet traffic accounting settings are as follows:

Ipfwadm-a-f

/sbin/ipfwadm-a-f

/sbin/ipfwadm-aout-i-s192.168.0.0

/32-d0.0.0.0/0

# for all outgoing packets

Statistics

/sbin/ipfwadm-ain-i-s192.168.0.0

/32-d0.0.0.0/0

# to all incoming packets

Statistics

The statistics for the accounts are stored in the/proc/net/ip_acct file, all of which are represented by a 16-binary IP address.

All of the above scripts can be placed either in the/etc/rc.d file or in a separate shell script, executed with the command sh.

The above settings are run on RedHat5.1.