How to Implement Linux firewall to make remote office more secure

Article Title: How to Implement the Linux firewall to make remote office more secure. Linux is a technology channel of the IT lab in China. It includes desktop applications, Linux system management, kernel research, embedded systems, open source and other basic categories. Currently, Using VPN to achieve remote office is a common method. There are two main shortcomings of this method: first, to ensure that VPN users can access the Intranet at any time, the computers on the Intranet must be started up for a long time, resulting in a large amount of waste of resources. Second, after a user connects to a VPN, he can only use the remote computer as a member of the network neighbor to transmit data to each other.

Using Linux to achieve remote office can make up for the above two shortcomings of VPN: On-Demand boot, direct control and monitoring of remote computers, as well as remote computer desktop. In this method, a Linux server must be a machine connected to the Internet. It "acts as a gateway and a firewall and is responsible for waking up computers on the Intranet.

　　Environment Configuration

　　1. Install the wakelan Software

Wakelan is a Remote Wake-up program in Linux that can wake up a computer connected to a Linux server, and its Nic MAC address is the specified address. The command format is "wakelan MAC address ".

The Installation Method of wakelan is as follows:

# Tar wakelan-1.1.tar.gz
# Cd wakelan-1.1
#./Configure
# Make
# Make install

　　2. Add a broadcast route

In this actual working environment, machines in the LAN are connected to the eth1 Nic of the Linux server through a switch. To broadcast the entire LAN on a Linux server, add the following route:

# Route add-host route 255.255.255-dev eth1

Add the preceding route to/etc/rc. local. The route can be automatically added even if the Linux server restarts.

　　3. Configure DHCP

In the DHCP configuration file/etc/dhcpd. in conf, specify the IP address, Domain Server address, domain name, gateway, DNS server, and other information of the Intranet Windows machine so that it can automatically obtain the specified IP address after it is started. Of course, if each computer has a fixed IP address, the DHCP service configuration process can be ignored.

The configuration in/etc/dhcpd. conf is as follows:

Ddns-update-style ad-hoc;
Max-lease-time-1;
Default-lease-time-1;
Option subnet-mask limit 255.0;
Option broadcast-address 255.255.255.255.255;
Option routers 192.168.0.1;
Option domain-name-servers 192.168.0.1;
Option domain-name "home.net.cn ";
Subnet 192.168.0.0 netmask 255.255.255.0 {
Range 192.168.0.11 192.168.0.100;
Host platinum {
Hardware ethernet 00: 0a: e6: a9: 64: a2;
Fixed-address 192.168.0.2;
}
}

In the above configuration, the IP address of the PC named "platinum" is allocated to the specified MAC address, and the IP address of the fixed platinum is 192.168.0.2. If there are other machines, perform similar settings.

Run the "/etc/rc. d/init. dhcpd start" command to start the DHCP service.

　　4. Configure iptables and set the DNAT Function

The DNAT function transfers all connection requests that access specific ports of the Linux gateway to the corresponding ports of the specified machine on the Intranet (except for connection requests of Intranet users ).

Example:

# Iptables-a prerouting-t nat-p tcp-s! 192.168.0.0/24 -- dport 4899

-J DNAT -- to 192.168.0.2: 4899

In the preceding command, all connection requests that access port 4899 of the Linux gateway are forwarded to port 4899 of the host whose IP address is 192.168.0.2. 4899 is the default service port of the remote control program Radmin. You can add this command to the file/etc/rc. local to enable Linux to provide this function. You can also write a Firewall script that implements the same function and put it in/etc/rc. local for execution.

　　5. install remote control software on Intranet Windows

Commonly used remote control software includes pcAnywhere and Radmin. you can install one of them according to your preferences and use Radmin. The remote office computer and the controlled computer must install the software. The difference is that in addition to installing the software, the controlled computer also needs to start the server program.

　　6. Remotely wake up Intranet machines

The premise of remote start is that the Windows machine supports Nic wake-up and the BIOS settings must comply with the NIC wake-up standard. Log on to the Linux server using SSH wherever you can access the Internet and run the remote wakeup command:

# Wakelan 00: 0a: e6: a9: 64: a2

If the computer is started, the previous configuration is successful. To log on remotely, you must remember a bunch of hard-to-remember MAC addresses. This is troublesome and insecure. We can use Web services to improve this function.

　　Secure and convenient Web startup

If Apache and PHP have been installed in Linux, you can configure Apache and write PHP scripts to enable remote startup more securely.

　　1. Write a PHP script

Create a wakeup directory under Apache DocumentRoot, and create the index. php file under this directory. The content is as follows:

　　 Passthru ("/usr/local/bin/wakelan 00: 0a: e6: a9: 64: a2 ");
Echo "the computer platinum is starting ...";
?>

Now, you only need to enter a URL in your browser (set in Apache beforehand), for example, http://platinum.3322.org/wakup. This is convenient, but anyone can access it. It is still insecure. You need to add Apache authentication to solve this problem.

　　2. Add Apache Authentication

Modify the Apache configuration file/usr/local/apache2/conf/httpd. conf and add the following code:

　　
AllowOverride AuthConfig
　　

Create a. htaccess file in the wakeup directory and edit the file:

# Vi/usr/local/apache2/htdocs/wakeup/. htaccess
AuthName "Computer platinum starter"
AuthType Basic
AuthUserFile/usr/local/apache2/apache. users
Require user platinum

　　3. Create a password file

Next, create an apache. users file for storing passwords:

Root @ server # htpasswd-c/usr/local/apache2/apache. users platinum
New password:
Re-type new password:
Adding password for user platinum

The password in the apache. users file is encrypted. When the password is changed, the htpasswd command is still used without the "-c" parameter.
To make the configuration take effect, you must restart the Apache service. Then, use http://platinum.3322.org/wakeup to authenticate the password (SEE ). People who do not know the password cannot enter the system to enable the specified computer.

Enable remote computer authentication Screen

　　Start remote control

After remotely starting the computer through the above method, start the remote control software installed in advance and enter the address of the Linux server to operate the remote computer platinum. After the operation is complete, if you no longer need the computer to continue working, you can use the remote control software to close the remote computer, avoiding the waste of resources.