In some systems, we want several IP addresses in the Intranet to connect to the Internet, and these IP addresses are not stolen by illegal users. You can achieve this through the following solutions:
- First, use ipchains or iptables to set that only valid IP addresses can be connected.
Create an IP/Mac binding for a valid IP address. To discuss this problem, we need to first understand the working principle of the ARP Protocol, which is short for the Address Resolution Protocol. Its functions and working principles are as follows:
In the underlying network communication, to communicate with each other, you must first know the source and target MAC addresses. To allow the system to quickly find the MAC address of a remote node, each Local Kernel stores an instant query table (called ARP cache ). ARP contains a list of IP addresses of remote hosts to their corresponding MAC addresses. The Address Resolution Protocol (ARP) cache is a data structure in the resident memory. The content is managed and maintained by the kernel of the local system. By default, the ARP cache retains the IP address (and MAC address) of the node to which the local system communicates in the last 10 minutes ).
If the MAC address of a remote host is stored in the ARP cache of the local host, converting the IP address of the remote node to the MAC address will not cause any problems. However, in many cases, the MAC address of the remote host does not exist in the local ARP cache. How can this problem be solved? When you know the IP address of a remote host but the MAC address is not in the local ARP cache, use the following procedure to obtain the MAC address of the remote node: the local host sends a broadcast packet to all nodes in the network and asks if there is a corresponding IP address. One node (only one node) will answer this ARP broadcast information. The response contains the MAC address of the remote host. After receiving the returned packet, the local node records the MAC address of the remote node in the local ARP cache.
If we set the IP/MAC ing to a fixed one, that is, to establish a static MAC ing for those valid IP addresses, even if an illegal user steals an IP address, the linux router will not use the arp Protocol to ask for the mac address when responding to the connection requests sent by these IP addresses, but use the static MAC address established by Linux to send response data. if the IP address is stolen, the attacker will not obtain the response data and thus cannot use the network service.
A static IP/MAC binding method is to create a/etc/ethers file, which contains the correct IP/MAC ing. The format is as follows:
192.168.2.32 08: 00: 4E: B0: 24: 47
Then add/etc/rc. d/rc. local:
Arp-f
You can.
- 2.4 kernel iptables can be used to restrict IP addresses and Mac addresses at the same time. You can use this function to limit IP addresses and Mac addresses at the same time for the rules of valid IP addresses.