I am not a master. I wrote some of my personal experiences to you through Linux. I will show you this for your reference only.
The simplest way to maintain network security is to ensure that the hosts on the network are not exposed to or from the outside. The easiest way is to never connect your network to a public network, such as the Internet. this isolation-based security policy is unacceptable in many cases. Using a private IP address is a simple and feasible method, which can prevent hackers from accessing users' private computers.
RFC1918 specifies the IP addresses that can be used for local TCP/IP networks. these IP addresses are not processed by routers. because these IP addresses are not routed over the Internet, you do not have to register them. by assigning IP addresses in this range, you can effectively distribute network traffic in the local network. this is a fast and effective way to deny access from external computers and allow data streams between internal computers. all Internet-related official standards are released through RFC (Request for Comment ).
Private IP addresses cannot be routed over the Internet. Therefore, a system using a private IP address cannot access the Internet, but this problem can be solved by creating an IP disguised server (a Linux Server. when a data packet leaves the computer, it contains its own IP address as the source address, and a conversion is returned when the data is sent by the Linux Server outside the world. the server simultaneously records which source IP address the packet sent to which destination IP address on Lnternet. when a packet is sent to the Internet, it can reach the target address to obtain its response.
This setting has a problem. because the source address of the data packet is the IP address of the server, rather than the IP address of the user's computer after the server, the response from the external computer will be sent to the server. therefore, for full data packet transmission, the Linux server must search for a table to determine which computer the data packet belongs. the source address of the security rule is set as the address of the private user computer and sent to the computer. apparently, data packets from a private IP address computer can be transmitted over the INTERNET. therefore, IP camouflage is also sincere for network address conversion.
By default, IP spoofing is configured in the Linux kernel. however, if you have deleted this function from the kernel or used a kernel without the built-in IP camouflage function, you need to re-compile the kernel, then, set a packet filtering rule to allow conversion. In order to enable IP spoofing to work, you need to enable the server's IP translation service. you can enable IP conversion by setting Forward_IPV4 in the/etc/sysconfig/network file to YES.
In order to connect the internal network to the external world, two network interfaces are required on the IP disguised server. One excuse is to connect the server to the internal network, and the other is to connect the server to the external world. For example:
/Learn in/ifconfig. ethl inet 211.123.1.1 netmask 255.255.255.0 |
/Learn in/ipchains-A forward-j MASQ 192.168.1.0/24-d0.0.0.0/0/learn in/ipchains-p forward DENY |
Related Articles]
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
