Implement IP camouflage in linux

Source: Internet
Author: User

Use tool: 1, IPCHAINS firewall. 2. NETFILTER.


In LINUX, IP spoofing can be achieved through IPCHAINS firewall.
(1) Using IPCHAINS Firewall
If you use IPCHAINS to implement IP addresses, You need to specify the FOWARDING rules in disguise. The following example shows that the host connected to the Internet (Anti-live wall) is connected to the Internet using the first Ethernet device eth0. If you connect to the ISP through a MODEM, which of the following network interfaces is the first PPP interface, that is, PPP0. The second command adds (-A) A target (-J) MASQ (disguised) to the FORWARD rule for the interface (-I) ETH0. The host in the LAN must specify the connected system (firewall) as the gateway. The Last Command makes the IP address FORWARD valid. To enable IP spoofing to effectively use the FIREWALLING item in LINUXCONF, select forward firewalling for the FORWARDING rule that you want to add and click the do masquerade selection box.

Ipchains-p forward DENY
Ipchains-A forward-I eth0-j MASQ
Echo 1>/proc/sys/net/ipv4/ip_forward

In disguise, IP addresses often allow computers in the private network to access the Internet. These can be home networks or computers in small networks. In such a network, there may be only one computer connected to the Internet and only one Internet address. Local private networks can use addresses (10.172.6. Or 192.168.) allocated for private networks .). In typical cases, the firewall has two Ethernet cards, one as the LAN interface (ETH1 ). The other one is used for connecting to the ISP by dialing with the Internet interface (ETH0. This will be the PPP0 corresponding to the MODEM ). The network adapter (ETH0) connected to the Internet will be assigned an Internet address. The Ethernet interface ETH1 of the local network is the ethernet card of the firewall. The user's private network has a 192 image. 168. 1. The ethernet card of the firewall is allocated to 192. 168. 1. 1 As the IP address. In fact, the network interface of the firewall makes the firewall a local gateway. Then, configure the firewall to disguise all packets from the private network. The user's local network uses its own Domain Name Server to identify the computer in the network (including the user's firewall ). Each local host uses a firewall as the specified gateway. Do not use the IP alias to specify the IP address to the firewall address and the Internet IP address to the same physical interface. It is better for them to use different network interfaces. In this way, the attack can be minimized. For example, two Ethernet NICs, one Ethernet NIC, and one MODEM (PPP0 ).

2. Use NETFILTER to implement IP camouflage (NAT and IPTABLES)
In NETFILTER, IP spoofing is a NAT operation and is no longer integrated into packet filtering like IPCHAINS. Commands disguised by IP addresses are placed in the NAT table, and the packet filtering commands are treated separately, to implement IP camouflage through NETFILTER, first make sure that the IPTABLE_nat module is loaded (you can put this operation in the kernel)

Modprob iptable_nat
Then, use iptable to place a disguised rule in the NAT table. first, use the-t nat option to reference the NAT table. add the POSTROUTING command and the-O option to specify the output device, and add the-j option and the MASQUERADE command.
Iptable-t nat-a postrouting-o eth0-j MASQUERADE
Finally, enable ip forwarding.
Echo 1>/proc/sys/net/ipv4/ip_forward


The above uses the IPCHAINS firewall and NETFILTER to implement IP camouflage. note that in IPTABLES, IP spoofing is no longer linked with the FORWARD rule. therefore, if you specify a DROP policy for the FORWARD rule chain, you must first specify that the FORWARD operation is effective for networks that require IP spoofing. You need both POSTROUTING and FORWARD rule chain. active ~~~~~~~~ I fainted. I am exhausted ~!!!! Ga ga... follows the spirit of freedom and can be reproduced at will. You do not need to pay the copyright fee ~~~~~~ It's boring to send it to the knife. It's better here ~!!!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.