Linux-based campus network billing system

Article Title: Linux-based campus network billing system. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
1. Overview
　　
As one of the five main functions of network management, charge management can detect and control the cost and cost of network operations and record the usage of network resources, after cernet has determined the principles of paying for the use of network resources and sharing the international communication fee, the international communication fee is not only charged by each inbound organization, but billing management is particularly important in network management. Yingxian's largest network management function and billing system play an important role in network management.
　　
During the construction of the campus network, the author developed HNUMS (HNUMS), a user management and Billing System for the Hangzhou-Hangzhou campus network. It uses Linux, C programming, and packet filtering, we have successfully implemented a user-based network egress (Cernet, Chinanet .......) And a variety of billing standard traffic management software. This billing system has the following features: users can freely select network outlets and customize firewall rules. The number of clients that can be accommodated is scalable and suitable for campus networks of all sizes.
　　
2. Campus Network Billing Management
　　
In essence, the billing management of campus network measures the usage of campus network resources in a certain way, and then the corresponding fees can be calculated according to the pre-defined price. The measurement method is generally based on time or traffic, most campus networks in China use the paybytraffic method.
　　
Currently, a popular campus network traffic billing method is "IP-based billing management". The IP address data traffic of the client is collected on the campus network, and the corresponding fee is calculated based on the unit price, this billing method is characterized by "and-as-you-go". It is completely transparent to users and data collection is easy to implement. However, the billing object is an IP address, which is prone to IP address theft to avoid billing, some schools use vswitches with strong functions to bind the ports of vswitches to IP addresses, although this method can restrict IP theft to some extent (it cannot be completely eliminated, in Linux, you only need ifconfig to modify the MAC. In windows, you need to modify the key value in the registry, this allows users to access the Internet only on the bound computer. Because this billing method is for Nic fees, some students or employees enable the "public" machine to access the Internet without charge, these disadvantages will undoubtedly bring great difficulties to campus network billing, and the national or collective interests will be damaged.
　　
Another advanced campus network traffic billing method is "user-based billing management" (such as Tsinghua University's user management system http://usereg.tsinghua.edu.cn /), user traffic is collected through user authentication and other means on the campus network. The advantage of this method is "people-oriented". user traffic is irrelevant to the machines used, whether it is dial-up or leased line access, both in the computing center and in the Student Dormitory, the billing method is the same, and whoever spends money on the Internet is fair and reasonable. Through user authentication, this method effectively avoids IP address theft, this greatly reduces the burden on network management and effectively avoids the loss of national interests.
　　
3. Design and Implementation of HNUMS
　　
User-based billing management is implemented, which is crowded with the collection and storage of user traffic information. Generally, the "datagram" collected at the underlying layer of the network transmission process only contains IP address information, the so-called User name as the data segment of the datagram cannot be decomposed, so to obtain "user information", you must collect information at the application layer, the HNUMS developed by the author is a set of network management and billing software that combines high-level user authentication with underlying IP data traffic and features distributed processing.
　　
① User Authentication
　　
HNUMS uses Real-Time Authentication to ensure the legality of user identity. To this end, a client user authentication program is designed. After the user submits the identity information, the HNUMS server verifies the legality of the user. If the user name, password, and IP address are used, MAC and other information matching, allowing users to pass the server. If the billing server is verified because the user name and password are incorrect and the prepayment balance is lower than the minimum deposit, the server rejects the service.
To ensure the security of the system and user data, the client authentication program uses ciphertext to communicate with the server, and the keys are randomly generated. Therefore, the same password for the same user is, the keys generated after each encryption are completely different from the ciphertext, which greatly increases the difficulty of deciphering.
　　
② User access control
　　
To implement user access control, the proxy server must intercept user data packets before completing the proxy function, and then compare it with the defined access rules to allow only matching packets to pass, instead of losing the baby server. User Information Package expansion to be intercepted, user name, password, IP address for accessing the Internet at that time, and IP address of the website to be accessed by the user are prohibited from accessing some illegal websites, determine whether the IP address you want to access is a domestic IP address. The user's password and password can be obtained through the server's authentication program. The program uses the C language programming and multi-channel socket model to listen to user requests on a specific port; the source IP address of the user data packet, the port, protocol, and target IP address and port protocol can be used by the Netfilter firewall software which is powerful in Linux 2.4.x kernel. The working principle is as follows.
　　
There are five "hooks" IN the PRE, FWD, POST, IN, and OUT functions. HNUMS is used to intercept user data packets at the PRE and convert the data packets accordingly, match the rule at FWD (a rule for each user. If no match exists, the packet is discarded), and then the packet is sent after the POST is used for network address translation (NAT, the purpose of NAT is to solve the problem of insufficient IP addresses.
　　
4. HNUMS features
　　
① Distributed Multi-Level forwarding service
A notable feature of HNUMS is its distributed proxy forwarding function, which can meet the needs of various network loads and multiple network outlets with different capacities. A dedicated server is responsible for user authentication and traffic fee based on the "Centralized Billing and distributed generation" principle. Other servers are responsible for packet forwarding service and user traffic collection. When the load capacity of one proxy server is insufficient, multiple proxy servers can be used to work simultaneously. Different servers correspond to different network segments and distribute network load. Practice has proved that the load capacity of a proxy server is about-computers online at the same time, and the number of proxy servers can be configured accordingly. It can be seen that the number of clients that HNUMS can accommodate is scalable, which is also the essential difference between HNUMS and the popular proxy-based traffic billing products.
　　
② Users define their own firewall rules
　　
HNUMS allows users to automatically use firewall rules. Users can enable services they want and disable unnecessary services. This can prevent most network attacks, especially DOS attacks, at the same time, it can avoid unnecessary international traffic and protect users' interests from losses.
　　
③ Support for Network Address Translation (NAT)
　　
With the continuous development and popularization of the Internet, the number of IP addresses is increasingly insufficient. Using an internal address is a good solution. HNUMS uses the dual-point host mode to support internal use: the internal network adapter accepts requests from IP users in the campus network, the Internet card is a valid Internet address, the user data packet is NAT, and converted to an external address. The dual-point host mode can effectively isolate the local area network from the campus network without changing the structure and IP address of the local area network, you only need to connect the Intranet of the HNUMS server to the LAN, the Internet to the campus network, and use its Nic as the external gateway of the LAN. A lan User accesses the campus network or the Internet through the HNUMS proxy server, and the HNUMS billing system charges fees based on the traffic.
　　
5. Summary
　　
The billing management of campus network is very important. The rationality, reliability and security of campus network are users' concerns. The billing management of campus network is not just a technical problem, it also involves personnel, organization, policy, economy, and other issues. It is worth further research and exploration. The HNUMS distributed billing proxy server developed by the author is in the development and debugging stage. Due to space limitations and time constraints, this article omitted many technical details.