When you access the Internet, do you often suffer attacks? How can we avoid such attacks? We should configure the Linux transparent firewall, which raises another problem. How can we configure and configure the Linux transparent firewall?
1. Set the network address. Modify the file/etc/sysconfig/network-scripts/ifcfg-eth0 and/etc/sysconfig/network-scripts/ifcfg-eth1 so that it has the same IP address, the same subnet mask. Use vi to edit the following file, save the file, and run the Command service network restart to make the modification take effect.
- DEVICE=eth0
- BOOTPROTO=none
- BROADCAST=192.168.1.255
- IPADDR=192.168.1.254
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- ONBOOT=yes
- USERCTL=no
- PEERDNS=no
- TYPE=Ethernet DEVICE=eth1
- BOOTPROTO=none
- BROADCAST=192.168.1.255
- IPADDR=192.168.1.254
- NETMASK=255.255.255.0
- NETWORK=192.168.1.0
- ONBOOT=yes
- USERCTL=no
- PEERDNS=no
- TYPE=Ethernet
Note the following two points: the first is to distinguish between eth0 and eth1. this problem is critical. If it is mixed up, the firewall cannot connect to the network. As for how to distinguish eth0 from eth1, I will briefly describe it at the end of the article. It is assumed that the NIC connected to the vro is eth0.
2. Set the default route. In the file/etc/sysconfig/network-scripts/ifcfg-eth0 add a line gateway = 192.168.1.1 save and run the Command service network restart, the modification takes effect. Find a public IP address that opens the ICMP protocol, and run the command ping 202.108.36.196 (host www.163.com) to check the connectivity with the Internet. If the connection is normal, the Linux firewall host and the Internet are correctly configured. Run ping 192.168.1.18 to check the connectivity between the firewall host and the Intranet host. If the connection is normal, perform the next step.
3. Enable network forwarding and proxy_arp. This is the core part of the transparent firewall. I will write them into the file/etc/rc. d/rc. local. Use vi/etc/rc. d/rc. local to insert the following content. During this step, I used to spend a lot of time, because the parameter "-w" was not included in the reference book, and then I ran sysctl net separately. ipv4.conf. only after eth0.proxy _ arp = 1 can we find that red hat Linux 9 cannot run without the "-w" parameter.
- #Ip forward
- /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
- #Enable proxy-arp
- /sbin/sysctl -w net.ipv4.conf.eth0.proxy_arp=1
- /sbin/sysctl -w net.ipv4.conf.eth1.proxy_arp=1
4. Specify the route. Because the two NICs (eth0, eth1) use the same ip address, if the forwarding path is not specified, the routing will be chaotic, so that computers within the firewall cannot access the Internet. Use the command vi to modify the file/etc/rc. d/rc. local and insert the following lines. Save the file and restart the computer.
- #Define route
- /sbin/ip route del 192.168.1.0/24 dev eth0
- /sbin/ip route add 192.168.1.1 dev eth0
- /sbin/ip route add 192.168.1.0/24 dev eth1
Linux firewall can access the Internet from the host 192.168.1.18 without any exceptions. Of course, any machine on the Intranet can access the Internet. Here, Define route is described as follows: /sbin/ip route del 192.168.1.0/24 dev eth0 indicates that all data packets destined for 192.168.1.0/24 in the subnet are not forwarded from eth0 but from eth1, that is, the command/sbin/ip route add 192.168.1.0/24 dev eth1;/sbin/ip route add 192.168.1.1 dev eth0 indicates that all packets destined for 192.168.1.1 are forwarded by eth0, in fact, this can be understood as the Division of data forwarding between two NICs-eth0 is responsible for the packets to 192.168.1.1, and eth1 is responsible for the remaining packets. In this way, you can complete the configuration of the Linux transparent firewall. If the selected firewall rule is of medium level, the firewall has been configured successfully.
- Learn to delete old Linux Kernel
- Measure the test taker's knowledge about how to prevent attacks on Linux operating systems.
- Teach you how to display duplicate rows in Linux
- How to install and Uninstall Linux software
- Yuan Meng: an endless Linux Desktop Innovation