This paper introduces a method of using Linux firewall software package to construct soft routing, which provides a simple and safe way to interconnect intranet and extranet. Linux firewall built soft routes, mainly through IP address to control access, more general agent service software has more convenient place.
First, the firewall
The word firewall is used in the computer network is used to protect the intranet from the external network of illegal intrusion device, it is the use of Network layer IP packet filtering procedures and some rules to protect the internal network of a strategy, hardware implementation, there are software implementation.
The computer running the firewall (the firewall below) connects both the external network and the intranet. In general, users of the intranet cannot access the extranet directly, or vice versa. If the intranet user wants to access the extranet, must first login to the firewall, the IP address by the firewall after the conversion, and then sent by the firewall to the external network, that is, when the intranet machine through the firewall, the source IP address is set (or disguised, or deceptive) into the external network legitimate IP address. After camouflage, in the external network view, the intranet machine is a legitimate IP address of the machine, and thus can communicate. External network users to access the intranet users, but also to log in to the firewall, after filtering, only through the allowed services.
This shows that the firewall between the internal network and the external network played a role in two:
(1) IP packet Filtering--protection function;
(2) Routing-network Interconnection.
Second, the installation of the firewall
1. Hardware Installation
On a computer running a Linux firewall, you must have two network cards or a network adapter, a modem card installed. This article takes two network cards as an example. Install the network card, set the interrupt number and port number correctly, and assign the appropriate IP address for each network card.
Configure a later firewall model.
2. Install Gateway
There are two ways to install a gateway: one is to run linuxconf, enter the routingandgateways option, configure the gateway, and the other is to modify the Rc.inet1 file. Here's how to modify the Rc.inet1 file by installing the gateway.
Enter the/etc/rc.d/directory, type Virc.inet1 carriage return, and refer to the following modifications:
Ipaddr= "202.114.194.130" # The external network IP address of the first card
Netmask= "255.255.255.128" # The outer net mask of the first card
Network= "202.114.194.0" # The external network segment of the first card
Broadcast= "202.114.194.255" # The external network broadcast address of the first card
Gateway= "202.114.194.129" # The first card of the external network gateway, is also
Default Gateway
ipaddr1= "192.168.0.1"
# The Internal network IP address of the second card
netmask1= "255.255.255.0"
# The Inner net mask of the second card
network1= "192.168.0.0"
# The Internal network segment of the second card
broadcast1= "192.168.0.255"
# The Internal network broadcast address of the second card
/SBIN/IFCONFIGETH0${IPADDR}
Broadcast${broadcast}metmask${netmask}
# Set the first block card
/SBIN/IFCONFIGETH1${IPADDR1}
broadcast${broadcast1}metmask$
{NETMASK1}
# Set the second block card
/sbin/routeadd-net${network}
Netmask${netmask}
/sbin/routeadddefaultgw$
{Gateway}metric1
/SBIN/ROUTEADD-NET${NETWORK1}
NETMASK${NETMASK1}
To test the gateway settings, you can use the "ifconfig" command to test, after running the command, will display eth0 and eth1 and the above we modify the relevant content, if not show the relevant information, the setting is not correct, but also to do it again.
Third, the construction soft route
1.IP Address Translation
IP address Translation is also known as IP address camouflage or IP address spoofing, which means that when an intranet machine logs on to a firewall, the firewall disguises the intranet IP (an illegal extranet IP address) as a legitimate external network IP address, and then communicates with the external network. The IP Address Camouflage command format is as follows:
Ipfwadm-f-amasquerade-d0.0.0.0/0-weth0
where "-d0.0.0.0/0" indicates that all intranet IP addresses are allowed to be converted, "-weth0" means that the intranet IP address is converted through the NIC 1.
After the IP address camouflage is set up, you can ping the external network machine on the intranet machine, and if the forwarding on the firewall is not closed, you can ping it, stating that the configuration is correct.
2. Set permissions to access the external network
In order to strengthen the management of the network, there are some restrictions on intranet access to the extranet, which include: (1) which machines are allowed to access the Internet, and (2) which sites are allowed to access.
The following script can be used to restrict the Internet machine:
ipfwadm-f-pdeny# all refuse intranet machine to surf the net
Ipfwadm-f-am-s192.168.0.5/32
-d0.0.0.0/0# allows the 192.168.0.5 machine to
Access to external networks
To restrict access to a site, you can set this:
ipfwadm-o-ireject-d0.0.0.0/0
# to all sites on the extranet
Refused
Ipfwadm-o-iaccept-d202.114.0.0/16
# Allow access to 202.114.0.0~
All sites within the 202.114.255.255
In the above settings, "0.0.0.0/0" represents all URLs, and "202.114.0.0/16" represents all sites 202.114.0.0 to 202.114.255.255.
3. Statistics IP Packet Traffic
The IP packet traffic accounting settings are as follows:
Ipfwadm-a-f
/sbin/ipfwadm-a-f
/sbin/ipfwadm-aout-i-s192.168.0.0
/32-d0.0.0.0/0
# for all outgoing packets
Statistics
/sbin/ipfwadm-ain-i-s192.168.0.0
/32-d0.0.0.0/0
# to all incoming packets
Statistics
The statistics for the accounts are stored in the/proc/net/ip_acct file, all of which are represented by a 16-binary IP address.
All of the above scripts can be placed either in the/etc/rc.d file or in a separate shell script, executed with the command sh.
The above settings are run on RedHat5.1.