Implement router and packet filtering firewall in Linux

Use Linux to implement router and packet filtering firewall-Linux Enterprise Application-Linux server application information. The following is a detailed description. Routers and firewalls

Vro is a widely used device between IP segments. There are many ready-made products on the market. In applications, we often connect routers across the WAN and lan. Most router products are designed based on this need. However, with the expansion of the user's IP network, we need a router that can address multiple Ethernet networks. The traditional router products occasionally have several dual-Ethernet network interfaces, however, such a product is especially expensive, and if it supports fast Ethernet applications, the price will be astronomical. layer-3 switches can implement such a function, however, layer-3 switches are not cheap either.

When a router is working, it queries its route table based on the destination IP address of the packet received by a port, and then decides to forward the packet to the corresponding port. There are several route tables for a vro: one is a route based on the IP address of each port of the vro and the subnet mask. This route is called a "fixed route "; the second is the system administrator's route to a subnet that needs to pass through a next-level router. This is called a static route "; in the network environment, let each vro broadcast its route information so that the routers can learn from each other. The learned route is called "dynamic routing ". The vro also forwards packets whose destination address is not in its route table to a preset IP address ". In the process of route matching, there are generally such priorities: fixed routes> static routes> dynamic routes> default routes.

The router will only view the destination address of the IP data packet. That is to say, in principle, the router will "accept all" and forward all data packets, unless it cannot be sent out. If you want the router to add a check when forwarding data packets, check the data packet source and the application layer service type required by the data packet, determine whether the data packet should be forwarded or processed according to the pre-designed rules, so that the router is no longer a router in a simple sense, it is a type of firewall-packet filtering firewall.

The packet filtering firewall can check the source, source port, Destination Address, destination port, and transmission layer protocol type of the data packet, and match a rule table according to the content of the checked item, when the rule table is defined, the operation defined in the rule table is executed. Generally, the rule table can define the following operations: ACCEPT (pass through), NAT (MASQ address translation), DENY (discard), and REJECT (REJECT, at the same time, the "unavailable" message is sent to the source end ).

Of course, you can also buy out-of-the-box products that support the packet filtering firewall on the market, but the price issue is still an important factor that we have to consider. In particular, most products have many license and performance restrictions.

The Linux operating system is born from an IP address. Apart from the price advantages of Linux, it is more attractive to the built-in powerful network functions, in addition to various Internet application services, linux also provides complete router and firewall functions. The system cost and function ratio brought by it are quite attractive. Why don't we try it?