IP address control instance based on routing policy in LINUX

Source: Internet
Author: User
In LINUX, the IP address control instance based on the routing policy-Linux Enterprise Application-Linux server application information. The following is a detailed description. I. background description

LINUX is a gateway server with three NICs
Eth1 is bound to an IP address of 172.17.0.0/16. The IP address of this network segment can be accessed through 172.17.1.1.
Eth0 is bound to the IP address 192.168.10.0/24. The IP address of this network segment can be accessed through 192.168.10.1.
Eth2 is bound to 192.168.1.1, which is the gateway of an intranet user.



Ii. Demand Analysis

Intranet users should use the route 172.17.1.1 to access the Internet.
However, due to work requirements, some users should have the permission to access the "Private Network" in the figure.
That is to say, the route 192.168.10.1 should be used.

In addition, everyone should be able to access the FTP server. The IP address of this server is 192.168.10.96.
That is to say, the person using route 172.17.1.1 should be able to access 192.168.10.96 and access the internet.

Iii. Solutions

To solve this problem, several commands are used. You need to check the details for specific usage.
Ip route
Ip rule
Arp
Note: For ip command usage, please refer to the ip Chinese manual, which is available on www.google.com

1. bind an IP address
Ifconfig eth1 172.17.3.x netmask 255.255.0.0
Ifconfig eth0 192.168.10.2 netmask 255.255.255.0
Ifconfig eth2 192.168.1.1 netmask 255.255.255.0
Modify the/etc/sysconfig/network-script/ifcfg-ethx file to enable the computer to automatically set the IP address.

2. Create a special route table
Vi/etc/iproute2/rt_table
Code:

#
# Reserved values
#
255 local
254 main
253 default
0 unspec

200 NET10
#
# Local
#
#1 inr. ruhu


The 200 NET10 above is newly added. The custom number is 200 and the name is NET10.

3. add its own default route to the NET10 route

Code:

Ip route add default via 192.168.10.1 table NET10


Note: Do not forget to write this table NET10; otherwise, it will be written to the master route table.

4. Create special routing rules

Ip rule can be used to view the current routing rules of the computer.
Reference:

0: from all lookup local
32766: from all lookup main
32767: from all lookup default


We can see that the rule contains three route tables: local, main, and default.
What we usually see in route is the main route table.
These rules follow the sequence number. If they are different, they follow the next rule to know the path or the end of the process.

Start adding our own route NET10 to the route table
Code:

Ip rule add from 192.168.1.222 pref 10000 table NET10


This means that if the access from the IP address 192.168.1.222 is enabled
What are the routing rules of NET10? We have already set the IP address range to 192.168.10.1.
Next, enable linux to use NAT (here we will not elaborate on how)

5. Allow all users to access 192.168.10.xx (this IP address cannot be mentioned)

Because all the others are using the route 172.17.1.1, they cannot access 192.168.10.xx.
How can we achieve this? Add another policy!
Code:

Ip rule add to 192.168.10.xxpref 10001 table NET10


If the destination IP address is 192.168.10.xx, The NET10 route table is used temporarily.
In this way, will there be security problems? If the route changes, will they access the private network?
No, because the routing rule is to 192.168.10.xx, that is, when the target is 96, the route is used. The original route is used to access other websites.
If you access a dedicated network machine, there will be only 10. xx.
Here, we can also do a trick to not tell others the address of 192.168.10.xx, but to tell them that the service exists on the gateway 192.168.1.1.
Iptables-t nat-a prerouting-d 192.168.1.1/32 -- dport 21-j DNAT -- to 192.168.10.xx: 21

6. prevent others from tampering with IP addresses and obtaining special permissions

Arp has a static function CM, not C. You may know that
What if I forcibly bound an IP address to a non-MAC address? Both sessions will fail!
Okay, let's take advantage of this!

First, I wrote a file iproute. c.
Code:

# Include
# Include
Main ()
{
Int I;
For (I = 2; I <255; I ++)
Printf ("192.168.1.% d \ t \ t00: 00: 00: 00: 00 \ n", I );
}


Gcc iproute. c-o iproute
Compile an executable file
Note: Host IP addresses should not be included, so from 2 cycles to 254 (255 is broadcast)

Second, generate a c ip address and a MAC address of all 00
Code:

./Iproute>/etc/ethers



Again, modify the IP-MAC match list
Vi/etc/ethers
I don't need to elaborate on the specifics. I believe everyone will

Finally, do static IP-MAC binding
Arp-f

7. Create a firewall and modify the main route table for security purposes.

The default route table should contain 192.168.10.0/24 and 172.17.0.0/16 segments.
In addition, if it is AS3, there will be a route of 169.254.0.0/16. Why don't I know? Remove it.
Then write a firewall script and use iptables to harden your machine!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.