How to Implement Linux firewall to make remote office more secure (1)

Currently, it is common to implement remote office via VPN. There are two main shortcomings of this method: first, to ensure that VPN users can access the Intranet at any time, the computers on the Intranet must be started up for a long time, resulting in a large amount of waste of resources. Second, after a user connects to a VPN, he can only use the remote computer as a member of the network neighbor to transmit data to each other. Using Linux to achieve remote office can make up for the above two shortcomings of VPN: On-Demand boot, direct control and monitoring of remote computers, as well as remote computer desktop. In this method, a Linux server must be a machine connected to the Internet. It "acts as a gateway and a firewall and is responsible for waking up computers on the Intranet.
Environment Configuration
1. Install the wakelan Software
Wakelan is a Remote Wake-up program in Linux that can wake up a computer connected to a Linux server, and its Nic MAC address is the specified address. The command format is "wakelan MAC address ".
The Installation Method of wakelan is as follows:

#tar wakelan-1.1.tar.gz#cd wakelan-1.1#./configure#make#make install

2. Add a broadcast route
In this actual working environment, machines in the LAN are connected to the eth1 Nic of the Linux server through a switch. To broadcast the entire LAN on a Linux server, add the following route:

#route add -host 255.255.255.255 -dev eth1

Add the preceding route to/etc/rc. local. The route can be automatically added even if the Linux server restarts.
3. Configure DHCP
In the DHCP configuration file/etc/dhcpd. in conf, specify the IP address, Domain Server address, domain name, gateway, DNS server, and other information of the Intranet Windows machine so that it can automatically obtain the specified IP address after it is started. Of course, if each computer has a fixed IP address, the DHCP service configuration process can be ignored.
The configuration in/etc/dhcpd. conf is as follows:

ddns-update-style ad-hoc;max-lease-time -1;default-lease-time -1;option subnet-mask 255.255.255.0;option broadcast-address 255.255.255.255;option routers 192.168.0.1;option domain-name-servers 192.168.0.1;option domain-name "home.net.cn";subnet 192.168.0.0 netmask 255.255.255.0 {range 192.168.0.11 192.168.0.100;host platinum {hardware ethernet 00:0a:e6:a9:64:a2;fixed-address 192.168.0.2;}}

In the above configuration, the IP address of the PC named "platinum" is allocated to the specified MAC address, and the IP address of the fixed platinum is 192.168.0.2. If there are other machines, perform similar settings.
Run the "/etc/rc. d/init. dhcpd start" command to start the DHCP service.
4. Configure iptables and set the DNAT Function
The DNAT function transfers all connection requests that access the specific port of the Linux gateway to the connection requests of the Intranet user on the corresponding port of the specified machine on the Intranet ).
Example:

#iptables -A PREROUTING -t nat -p tcp -s ! 192.168.0.0/24 --dport 4899-j DNAT --to 192.168.0.2:4899

In the preceding command, all connection requests that access port 4899 of the Linux gateway are forwarded to port 4899 of the host whose IP address is 192.168.0.2. 4899 is the default service port of the remote control program Radmin. You can add this command to the file/etc/rc. local to enable Linux to provide this function. You can also write a Firewall script that implements the same function and put it in/etc/rc. local for execution.
5. install remote control software on Intranet Windows
Commonly used remote control software includes pcAnywhere and Radmin. you can install one of them according to your preferences and use Radmin. The remote office computer and the controlled computer must install the software. The difference is that in addition to installing the software, the controlled computer also needs to start the server program.
6. Remotely wake up Intranet machines
The premise of remote start is that the Windows machine supports Nic wake-up and the BIOS settings must comply with the NIC wake-up standard. Log on to the Linux server using SSH wherever you can access the Internet and run the remote wakeup command:

#wakelan 00:0a:e6:a9:64:a2

If the computer is started, the previous configuration is successful. To log on remotely, you must remember a bunch of hard-to-remember MAC addresses. This is troublesome and insecure. We can use Web services to improve this function.