Firewalls can be divided into several different security levels. In Linux, because there are many different firewall software options, the security can be low and high, and the most complex software can provide almost no penetration protection capabilities. However, the Linux core itself has a simple mechanism called "Disguise". Apart from the most specialized hacker attacks, it can withstand the vast majority of attacks.
When we dial up the Internet, our computer will be assigned an IP address, so that other people on the Internet can return the information to our computer. Hackers use your IP address to access information on your computer. The "IP disguise" method used in Linux is to hide your IP address and prevent others from seeing it on the network. There are several groups of IP addresses that are specially reserved for use by the local network. The Internet backbone router cannot be identified. For example, the IP address of the author's computer is 192.168.1.127. If you enter this address in your browser, you cannot receive anything because the Internet backbone does not recognize the IP address 192.168.X.X. There are countless computers on other intranets, and the same IP address is used. Because you cannot access it at all, you cannot intrude into or crack it.
To solve the security problem on the Internet, it seems to be a simple task. You just need to select an IP address that someone else cannot access for your computer. Error! Because when you browse the Internet, the server also needs to send the data back to you, otherwise you will not see anything on the screen, the server can only return data to a valid IP Address registered on the Internet backbone.
"IP camouflage" is a technology used to solve this dilemma. When you have a Linux-installed computer that is set to use "IP camouflage", it will bridge the internal and external networks, and automatically interpret the IP addresses from the inside out or from the outside to the inside. This action is usually called network address translation.
In fact, "IP camouflage" is more complex than the above. Basically, the "IP disguised" server is built between two networks. If you use a simulated dial-up modem to access data on the Internet, this is one of the networks. Your Intranet usually corresponds to an Ethernet card, which is the second network. If you are using a DSL or Cable Modem, the system will have a second ethernet card instead of the analog Modem. Linux can manage each IP address of these networks. Therefore, if you have a computer that installs Windows (whose IP address is 192.168.1.25) on the second network (Ethernet eth1, to access a cable modem (207.176.253.15) on the Internet (Ethernet eth0), Linux's "IP disguise" intercepts all TCP/IP packets sent from your browser, extract the original local address (192.168.1.25) and replace it with the actual address (207.176.253.15. Then, when the server returns the data to 207.176.253.15, Linux will automatically intercept the return packet and fill in the correct local address (192.168.1.25 ).
Linux can manage several local computers (such as 192.168.1.25 and 192.168.1.34 in Linux's "IP disguise") and process each packet without confusion. The author has an old 486 computer installed with SlackWare Linux that can simultaneously process packets sent from four computers to a cable modem without reducing the speed.
Before the second version of the core, "IP disguise" is managed by the IP sending management module (IPFWADM, IP fw adm. Although the core of the second edition provides faster and more complex IPCHAINS, it still provides IPFWADM wrapper to maintain downward compatibility. Therefore, the author will take IPFWADM as an example in this article, to describe how to set "IP camouflage" (you can go to http: // scheme ).
In addition, some applications such as the non-standard packages used by RealAudio and CU-SeeME require special modules. You can also obtain relevant information from the above websites.
The author's server has two Ethernet cards, which are set in eth0 and eth1 respectively during core activation. These two cards are SN2000 ISA adapter cards without jumping feet, and most Linux systems recognize these two cards. The initialization steps of the author's Ethernet network are set in rc. inet1. The command is as follows:
IPADDR = "207.175.253.15" # Replace it with the IP address of your cable modem. NETMASK = "255.255.255.0" # change to your network mask. NETWORK = "207.175.253.0" # change to your NETWORK address. BROADCAST = "207.175.253.255" # Replace it with your BROADCAST address. GATEWAY = "207.175.253.254" # Replace it with your GATEWAY address. # Use the above macro to set your cable modem ethernet card/sbin/ifconfig eth0 $ {IPADDR} broadcast $ {BROADCAST} netmask $ {NETMASK} # Set the IP route table/sbin/route add-net $ {NETWORK} netmask $ {NETMASK} eth0 # Set the intranet Ethernet Card eth1, do not use the macro command/sbin/ifconfig eth1 192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0/sbin/route add-net 192.168.1.0 netmask 255.255.255.0 eth1 # Then set IP fw adm initialization/sbin/ipfwadm-F-p # deny access outside of the following locations # enable transfer requests from 192.168.1.X/sbin/ipfwadm-F-a m-S 192.168.1.0/24-D 0.0.0.0/0/sbin/ipfwadm-M- s 600 30 120
|
That's it! Your system's "IP camouflage" should be working properly now. For more details, refer to HOWTO mentioned above.
In the past six months, the price of the 56 K analog data card has suddenly dropped a lot. However, most of the new data cards are actually removing the control microprocessor on the board, which will cause additional load on the system's main CPU, linux does not support these "WinModem" cards. Although Linux's core experts still have the ability to write drivers for WinModem cards, they also understand that it is wise to reduce the impact on system performance to save $10.
Make sure that the Modem card you are using has a jumper to set COM1, COM2, COM3, and COM4. In this way, these data cards can work normally in Linux. When I was writing this article, I spent some time testing different data cards. Linux supports plug-and-play devices, so I bought a non-hop-free data card produced by Amjet to find another troublesome problem.
The PC tested by the author is an old 486, And the ami bios of the 1994 version is used. After plugging in this plug-and-play data card, the computer will not be able to boot, the screen shows "Primary hard disk failure" (Primary hard disk failure ). After inspection, it was found that the out-of-the-box BIOS was interrupted on the 15th that the original hard disk controller should be retained and assigned