Linux firewall camouflage mechanism to help you against malicious hackers

Firewalls can be divided into several different levels of security. In Linux, because there are many different firewall software to choose from, security can be low and high, the most complex software can provide almost impermeable protection capabilities. However, the Linux core itself builds a simple mechanism called "camouflage", which can withstand most attacks except the most specialized hacker attacks.

When we dial a connection to the Internet, our computer is assigned an IP address that allows other people on the Web to return information to our computer. Hackers use your IP to access data on your computer. Linux uses the "IP Camouflage" method, is to hide your IP, do not let other people on the network to see. There are several sets of IP addresses that are specifically reserved for use by local networks and are not recognized by Internet backbone routers. The IP of the author computer is 192.168.1.127, but if you enter this address into your browser, you will not receive anything, because the Internet backbone does not recognize 192.168.x.x this set of IP. There are countless computers on other intranets that use the same IP, and because you can't access them at all, you certainly can't hack or crack them.

So, addressing security issues on the Internet seems like a simple thing to do, as long as you choose an IP address that no one else can access for your computer. That's wrong! Because when you surf the Internet, you also need the server to pass the data back to you, otherwise you will not see anything on the screen, and the server can only pass the data back to the legitimate IP address registered on the Internet backbone.

"IP Camouflage" is the technology used to solve this dilemma. When you have a computer that installs Linux, setting up to use "IP camouflage", it will connect the internal and external two network bridges, and automatically interpret the IP address from inside to outside or from the outside, usually this action is called Network address translation.

The actual "IP camouflage" is more complicated than the above. Basically, the "IP camouflage" server is built between two networks. If you use an analog dial-up modem to access data on the Internet, this is one of the networks; Your internal network usually corresponds to an Ethernet card, which is the second network. If you are using a DSL modem or cable modem (CABLEMODEM), there will be a second Ethernet card in the system instead of an analog modem. Linux can manage every IP address for these networks, so if you have a computer with Windows (IP 192.168.1.25) located on a second network (ETHERNETETH1), access to the Internet ( Etherneteth0 cable Modem (207.176.253.15), Linux "IP camouflage" intercepts all TCP/IP packets from your browser, pulls out the original local address (192.168.1.25), and then addresses the real address ( 207.176.253.15) replaced. Then, when the server returns data to 207.176.253.15, Linux automatically intercepts the return packet and fills in the correct local address (192.168.1.25).

Linux manages several local computers (such as 192.168.1.25 and 192.168.1.34 in the Linux "IP Camouflage" sketch map) and processes each packet without confusion. The author has an old 486 computer equipped with Slackwarelinux, which can handle packets sent by four computers to a cable modem without any reduction in speed.

Before the second edition of the core, "IP camouflage" is managed by the IP Send Management module (IPFWADM,IPFWADM). The second edition core, while providing a faster and more complex ipchains, still provides ipfwadmwrapper to maintain backward compatibility, so in this article the author takes Ipfwadm as an example to explain how to set up IP camouflage.

Also, some applications, such as RealAudio and Cu-seeme, require special modules, and you can also get relevant information from the above Web site.

That's it! Your system's "IP camouflage" should now be working properly. If you want more detailed information, you can refer to the howto mentioned above.

Over the past six months, the price of 56K analog data card suddenly dropped a lot. However, most of the new data cards are actually removed from the board of the control of the microprocessor, so the system's main CPU will cause additional load, and Linux does not support these "Winmodem" cards. Although Linux core Masters, still have the ability to write drivers for Winmodem card, but they also understand that in order to save 10 dollars for the system performance impact, is definitely not a wise move.

Make sure you are using a modem card that has jump available to set up COM1, COM2, COM3, and COM4, so that these data cards will work properly under Linux. You can find a complete list of Linux-compliant data cards.

When the author wrote this article, he spent some time testing various data cards. Linux supports Plug and Play devices, so I bought a jump data card produced by Amjet to find another troubling problem.

The author tested the PC as an old 486, using the 1994 edition of Amibios. Plug in this Plug and Play data card, the computer will not be able to boot, the screen appears is "Primary hard drive Failure" (primaryharddiskfailure). After inspection, found that Plug and Play BIOS should be reserved to the hard drive controller of the number 15th interruption, allocated a data card. Finally, the author gave up the use of Plug and Play on the old computer because it's not worth spending time on. So, please note that before you purchase the data card, see if there is any adjustment COM1 to COM4 jump.

On the author's bulletin board, I saw several friends asking if you could use multiple dial-up lines to improve Internet speed on the Internet. The best example here is 128KISDN, which uses two 56K channels at the same time to achieve 128K speed. When an ISP provides such a service, two separate lines are configured to connect to the same IP.

You can see that while Linux has EQL modules that allow you to use two of data cards on your computer, these two data cards are only useful for sending out data unless the ISP provides the same IP for both sets of dial-up connections.

If you are dialing a generic ISPPPP line, you will get an IP address that can be returned from the server to the millions of computers, and you will get a different IP address each time you dial in to your ISP.

The packet that your browser sends out also contains the local IP address for the server data to return. EQL can distribute these outgoing packets to different ISP lines, but when the data is returned, it can only be received through an IP address, which is the address that the browser thinks is being used. If you use ISDN, the ISP will deal with the problem; some ISPs will provide the corresponding IP address for dial-up access to multiple lines, but the price is very expensive.

In the pursuit of speed, please do not ignore the Linux firewall efficiency. In the author's office, there are six users who access a 56K analog modem through an "IP camouflage" firewall, which works well and slows down only when someone downloads a large file. Before you decide to install more than one ISP dial-up line, you can set up an "IP camouflage" server to try. The way Windows handles multiple IP is not very efficient, and separating the Windows network from the modem can be a surprise to you.

In short, Linux uses the "IP Camouflage" method, is to hide your IP, not to let other people on the network to see.