Implement the Linux firewall to make remote office more secure-Linux Enterprise Application-Linux server application information. The following is a detailed description. Currently, it is common to implement remote office via VPN. There are two main shortcomings of this method: first, to ensure that VPN users can access the Intranet at any time, the computers on the Intranet must be started up for a long time, resulting in a large amount of waste of resources. Second, after a user connects to a VPN, he can only use the remote computer as a member of the network neighbor to transmit data to each other.
Using Linux to achieve remote office can make up for the above two shortcomings of VPN: On-Demand boot, direct control and monitoring of remote computers, as well as remote computer desktop. In this method, a Linux server must be a machine connected to the Internet. It "acts as a gateway and a firewall and is responsible for waking up computers on the Intranet.
Environment Configuration
1. Install the wakelan Software
Wakelan is a Remote Wake-up program in Linux that can wake up a computer connected to a Linux server, and its Nic MAC address is the specified address. The command format is "wakelan MAC address ".
The Installation Method of wakelan is as follows:
# Tar wakelan-1.1.tar.gz
# Cd wakelan-1.1
#./Configure
# Make
# Make install
2. Add a broadcast route
In this actual working environment, machines in the LAN are connected to the eth1 Nic of the Linux server through a switch. To broadcast the entire LAN on a Linux server, add the following route:
# Route add-host route 255.255.255-dev eth1
Add the preceding route to/etc/rc. local. The route can be automatically added even if the Linux server restarts.
3. Configure DHCP
In the DHCP configuration file/etc/dhcpd. in conf, specify the IP address, Domain Server address, domain name, gateway, DNS server, and other information of the Intranet Windows machine so that it can automatically obtain the specified IP address after it is started. Of course, if each computer has a fixed IP address, the DHCP service configuration process can be ignored.
The configuration in/etc/dhcpd. conf is as follows:
In the above configuration, the IP address of the PC named "platinum" is allocated to the specified MAC address, and the IP address of the fixed platinum is 192.168.0.2. If there are other machines, perform similar settings.
Run the "/etc/rc. d/init. dhcpd start" command to start the DHCP service.
4. Configure iptables and set the DNAT Function
The DNAT function transfers all connection requests that access specific ports of the Linux gateway to the corresponding ports of the specified machine on the Intranet (except for connection requests of Intranet users ).
In the preceding command, all connection requests that access port 4899 of the Linux gateway are forwarded to port 4899 of the host whose IP address is 192.168.0.2. 4899 is the default service port of the remote control program Radmin. You can add this command to the file/etc/rc. local to enable Linux to provide this function. You can also write a Firewall script that implements the same function and put it in/etc/rc. local for execution.
5. install remote control software on Intranet Windows
Commonly used remote control software includes pcAnywhere and Radmin. you can install one of them according to your preferences and use Radmin. The remote office computer and the controlled computer must install the software. The difference is that in addition to installing the software, the controlled computer also needs to start the server program.
6. Remotely wake up Intranet machines
The premise of remote start is that the Windows machine supports Nic wake-up and the BIOS settings must comply with the NIC wake-up standard. Log on to the Linux server using SSH wherever you can access the Internet and run the remote wakeup command:
# Wakelan 00: 0a: e6: a9: 64: a2
If the computer is started, the previous configuration is successful. To log on remotely, you must remember a bunch of hard-to-remember MAC addresses. This is troublesome and insecure. We can use Web services to improve this function.
Secure and convenient Web startup
If Apache and PHP have been installed in Linux, you can configure Apache and write PHP scripts to enable remote startup more securely.
1. Write a PHP script
Create a wakeup directory under Apache DocumentRoot, and create the index. php file under this directory. The content is as follows:
Passthru ("/usr/local/bin/wakelan 00: 0a: e6: a9: 64: a2 ");
Echo "the computer platinum is starting ...";
?>
Now, you only need to enter a URL in your browser (set in Apache beforehand), for example, http://platinum.3322.org/wakup. This is convenient, but anyone can access it. It is still insecure. You need to add Apache authentication to solve this problem.
2. Add Apache Authentication
Modify the Apache configuration file/usr/local/apache2/conf/httpd. conf and add the following code:
AllowOverride AuthConfig
Create a. htaccess file in the wakeup directory and edit the file:
Next, create an apache. users file for storing passwords:
Root @ server # htpasswd-c/usr/local/apache2/apache. users platinum
New password:
Re-type new password:
Adding password for user platinum
The password in the apache. users file is encrypted. When the password is changed, the htpasswd command is still used without the "-c" parameter.
To make the configuration take effect, you must restart the Apache service. Then, use http://platinum.3322.org/wakeup to authenticate the password (SEE ). People who do not know the password cannot enter the system to enable the specified computer.
(400) {this. resized = true; this. width = 400; this. alt = 'click here to open new window';} "onmouseover =" if (this. resized) this. style. cursor = 'hand'; "onclick =" window. open ('HTTP: // linux.chinaitlab.com/uploadfiles_7565/200601/2006020.110529356.jpg'); ">
Enable remote computer authentication Screen
Start remote control
After remotely starting the computer through the above method, start the remote control software installed in advance and enter the address of the Linux server to operate the remote computer platinum. After the operation is complete, if you no longer need the computer to continue working, you can use the remote control software to close the remote computer, avoiding the waste of resources.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.