Article Title: Linux converts 486 into an intranet firewall. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Application Principle
In Linux, if a machine on the network is connected to the Internet, you can configure other systems on the network to access the Internet through this connection. In this way, only one IP address can be used to connect several different systems to the Internet at the same time. This method is called IP camouflage.
In Linux, IP spoofing is implemented using the ipchains firewall tool. In fact, configuring the firewall is to configure IP spoofing. The current IP address disguise is the same as that of the ipchains firewall. It supports all common network services, such as Web browsing, telnet, ping, And gopher.
In Linux, the IP address is disguised. The machine with an Internet address is also used as a firewall and gateway on the LAN. The local machine uses the Internet address of the firewall to connect to the Internet. A firewall that implements IP camouflage is also called MASQ gates. The system (firewall) connected to the Internet can listen to Internet requests from hosts on the local network. After receiving the request, it replaces the IP address on the local host that sends the request with the IP address on the firewall Internet, and then sends these requests to the Internet, just like your own requests. Responses from the Internet are sent to the firewall system. The response received by the firewall is located through its own Internet address. The firewall then determines which request corresponding to the response on the local system, then it deletes the IP address of the response and sends it to the local host through the local network. For local machines, the connection is transparent, just like connecting directly to the Internet.
Implementation of Firewall
1. hardware configuration
An old AST 486DX/66 computer with 8 M memory and M hard disk is installed with two NICs, which are connected to the internal LAN and the backbone network respectively, at the same time, the backbone network is connected to the China Earthquake Administration and the Internet through a router.
2. install Linux
First install the Linux system (I use Redhat 6.0, and all instances are based on this version ). The fewer components are installed, the fewer system backdoors and security vulnerabilities are. Therefore, it is enough to install only one minimum system. Select a stable kernel. In this example, Linux 2.2.5-15 kernel is used.
The Linux kernel supports the firewall, and the tool used to implement the firewall is called ipchains. We can use this tool to implement IP Spoofing and proxy. Before using ipchains, You need to compile it into a part of the kernel. Redhat 6.0 has implemented this part.
3. Configure two NICs
Because the AST 486DX/66 machines only have EISA and ISA expansion slots, we purchased two 3C509 (10 M) Ethernet cards from the market. Use the configuration software (3c5x90000.exe) of the network card to set the interrupt number and I/O address. Do not conflict with the occupied address in the machine.
4. Configure the network address
We configure the IP address of eth0 to 210.72.114.141 (valid IP address for connecting to the backbone network), and the IP address of eth1 to 10.3.15.2 (IP address for connecting to the Intranet), as shown in 1.
[[The No.1 Picture.]
Configure the network address
To enable network configuration at startup, I added the ifcfg-eth0 and ifcfg-eth1 files in the/etc/sysconfig/network-scripts directory (slightly ). These two files are read by the system at startup, and the network and route table are configured.
5. Test
Use ifconfig and route to test the system. The specific test process is omitted.
Install ip masq gates
To implement IP spoofing, you need to use ipchains to specify forwarding rules. Before starting, enable the kernel IP forwarding so that the system can forward all the data to be sent, and then configure the route table to ensure smooth communication between the Intranet and the external network, any access is allowed under our control.
Implementation Method: in/etc/rc. d/create a script named ipchains in the directory. rules (run # chmod u + x ipchains. rules makes sure it is an executable file. The specific content is omitted ). Then add a line/etc/rc. d/ipchains. rules to/etc/rc. d/rc. local to ensure that the firewall rules are run after each machine restart. In this way, the packet filtering Firewall Based on ipchains and IP masquerading is established.
Security
The above settings enable a basic firewall system to prohibit IP Spoofing and broadcast packets. However, to establish a complete firewall system, pay attention to the following four points.
1. Set/etc/inetd. conf to disable all unnecessary services, such as all R commands, finger, and talk. Generally, only the ftp and telnet services are retained for internal maintenance purposes. Set/etc/hosts. allow and/etc/hosts. deny at the same time. Only some internal management users can telnet/ftp to the firewall. Of course, the safer way is to disable all inetd services. For example, for ftp and telnet, we can install SSH and use SSH/scp instead of telnet and ftp.
2. Enabling the shadow password makes it more difficult for remote users to obtain the root password.
3. Run the ntsysv check to check whether unnecessary background programs are started.
4. Create as few user accounts as possible and continuously upgrade software packages with security vulnerabilities.
Application Experience
We have used the Linux operating system of Redhat 6.0 and the packet filtering firewall system established on the AST 486 computer to effectively use hardware resources, the local area network system established on Windows NT Server 4.0 is smoothly connected to the Jiangxi earthquake information network platform. This effectively protects the security of the internal network system without affecting the Internet access. At the same time, it also plays a role in satellite communication channels and plays a good role in the rapid transmission of seismic information.
At present, many units and families have eliminated 486 or 586 (Pentium generation) computers. Although these computers are no longer suitable for increasingly complex desktop applications, they can build a good firewall by installing the Linux system, which is sufficient to support Internet access of less than 2 MB. If the system hardware resources allow, you can configure the transparent proxy service to implement the Internet buffer function, thus saving Internet bandwidth resources and improving Internet access efficiency.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.