Security techniques use the Linux system IP address to disguise and prevent black

Source: Internet
Author: User
Article Title: Security techniques use the Linux system IP address to disguise and prevent black. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

TIPS: Use the Linux system IP address to disguise and prevent black

Firewalls can be divided into several different security levels. In Linux, because there are many different firewall software options, the security can be low and high, and the most complex software can provide almost no penetration protection capabilities. However, the Linux core itself has a simple mechanism called "Disguise". Apart from the most specialized hacker attacks, it can withstand the vast majority of attacks.

When we dial up the Internet, our computer will be assigned an IP address, so that other people on the Internet can return the information to our computer. Hackers use your IP address to access information on your computer. The "IP disguise" method used in Linux is to hide your IP address and prevent others from seeing it on the network. There are several groups of IP addresses that are specially reserved for use by the local network. The Internet backbone router cannot be identified. For example, the IP address of the author's computer is 192.168.1.127. If you enter this address in your browser, you cannot receive anything because the Internet backbone does not recognize the IP address 192.168.X.X. There are countless computers on other intranets, and the same IP address is used. Because you cannot access it at all, you cannot intrude into or crack it.

To solve the security problem on the Internet, it seems to be a simple task. You just need to select an IP address that someone else cannot access for your computer. Error! Because when you browse the Internet, the server also needs to send the data back to you, otherwise you will not see anything on the screen, the server can only return data to a valid IP Address registered on the Internet backbone.

"IP camouflage" is a technology used to solve this dilemma. When you have a Linux-installed computer that is set to use "IP camouflage", it will bridge the internal and external networks, and automatically interpret the IP addresses from the inside out or from the outside to the inside. This action is usually called network address translation.

In fact, "IP camouflage" is more complex than the above. Basically, the "IP disguised" server is built between two networks. If you use a simulated dial-up modem to access data on the Internet, this is one of the networks. Your Intranet usually corresponds to an Ethernet card, which is the second network. If you are using a DSL or Cable Modem, the system will have a second ethernet card instead of the analog Modem. Linux can manage each IP address of these networks. Therefore, if you have a computer that installs Windows (whose IP address is 192.168.1.25) on the second network (Ethernet eth1, to access a cable modem (207.176.253.15) on the Internet (Ethernet eth0), Linux's "IP disguise" intercepts all TCP/IP packets sent from your browser, extract the original local address (192.168.1.25) and replace it with the actual address (207.176.253.15. Then, when the server returns the data to 207.176.253.15, Linux will automatically intercept the return packet and fill in the correct local address (192.168.1.25 ).

Linux can manage several local computers (such as 192.168.1.25 and 192.168.1.34 in Linux's "IP disguise") and process each packet without confusion. The author has an old 486 computer installed with SlackWare Linux that can simultaneously process packets sent from four computers to a cable modem without reducing the speed.

Before the second version of the core, "IP disguise" is managed by the IP sending management module (IPFWADM, IP fw adm. Although the core of the second edition provides faster and more complex IPCHAINS, it still provides IPFWADM wrapper to maintain downward compatibility. Therefore, the author will take IPFWADM as an example in this article, to describe how to set "IP camouflage" (you can go to http: // scheme ).

In addition, some applications such as the non-standard packages used by RealAudio and CU-SeeME require special modules. You can also obtain relevant information from the above websites.

The author's server has two Ethernet cards, which are set in eth0 and eth1 respectively during core activation. These two cards are SN2000 ISA adapter cards without jumping feet, and most Linux systems recognize these two cards. The initialization steps of the author's Ethernet network are set in rc. inet1. The command is as follows:

IPADDR = "207.175.253.15"

# Change to the IP address of your cable modem.

NETMASK = "255.255.255.0"

# Change to your network mask.

NETWORK = "207.175.253.0"

# Change to your network address.

BROADCAST = "207.175.253.255"

# Change to your broadcast address.

GATEWAY = "207.175.253.254"

# Change to your gateway address.

# Use the above macro to set the ethernet card of your cable modem

/Sbin/ifconfig eth0 $ {IPADDR} broadcast $ {BROADCAST} netmask $ {NETMASK}

# Setting IP route table

/Sbin/route add-net $ {NETWORK} netmask $ {NETMASK} eth0

# Set the intranet Ethernet Card eth1 without using macro commands

/Sbin/ifconfig eth1 192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0

/Sbin/route add-net 192.168.1.0 netmask 255.255.255.0 eth1

# Set IP fw adm Initialization

/Sbin/ipfwadm-F-p deny # deny access outside of the following locations # Open transfer requests from 192.168.1.X

/Sbin/ipfwadm-F-a m-S 192.168.1.0/24-D 0.0.0.0/0

/Sbin/ipfwadm-M-s 600 30 120

That's it! Your system's "IP camouflage" should be working properly now. If you want more detailed information, you can refer to the HOWTO mentioned above, or to http://albali.aquanet.com.br/howtos/Bridge+ Firewall-4.html reference mini howto. In addition, you can find the data in ftp: // sunsite.unc.edu/pub/linux/docs/howto/firewall-howto.

In the past six months, the price of the 56 K analog data card has suddenly dropped a lot. However, most of the new data cards are actually removing the control microprocessor on the board, which will cause additional load on the system's main CPU, linux does not support these "WinModem" cards. Although Linux's core experts still have the ability to write drivers for WinModem cards, they also understand that it is wise to reduce the impact on system performance to save $10.

Make sure that the Modem card you are using has a jumper to set COM1, COM2, COM3, and COM4. In this way, these data cards can work normally in Linux. You can go to http: // www.o2.net /~ Find the complete list of Linux-compatible data cards in gromitkc/winmodem.html.

When I was writing this article, I spent some time testing different data cards. Linux supports plug-and-play devices, so I bought a non-hop-free data card produced by Amjet to find another troublesome problem.

The PC tested by the author is an old 486, And the ami bios of the 1994 version is used. After plugging in this plug-and-play data card, the computer will not be able to boot, the screen shows "Primary hard disk failure" (Primary hard disk failure ). After inspection, it was found that the out-of-the-box BIOS was interrupted on the 15th that should have been reserved for the hard disk controller and allocated to the data card. Finally, the author gave up using plug-and-play products on the old computer, because it is not worth the time. Therefore, before purchasing a data card, you must first check whether there are any changes from COM1 to COM4.

On the author's Bulletin Board (http: // trevormarshall.com/BYTE/), several friends asked if they could use multiple dial-up lines to speed up Internet access. The best example here is the 128 k isdn, which uses two 56 K channels at the same time to achieve a speed of K. When the ISP provides such a service, two independent lines are configured to connect to the same IP address.

You can see that, although there are EQL modules in Linux that allow you to use two data cards on the computer at the same time, unless the ISP provides the same IP address for the two sets of dial-up connections, otherwise, these two data cards are only helpful for sending data.

If you dial a common isp ppp line, you will get an IP address, and the packets sent back from the server can be found on millions of computers. Each time you dial in to the ISP, you will get a different IP address.

The packets sent by your browser also contain the local IP address for the server to return data. EQL can distribute these external packets to different ISP lines. However, when data is sent back, only one IP address can be received, that is, the address that the browser considers to be in use. If ISDN is used, the ISP will handle this problem. Some ISPs will provide corresponding IP addresses for dial-up access of multiple lines, but the price is very high.

When pursuing speed, do not ignore the efficiency of the Linux firewall. Six users in the author's Office used the "IP disguised" firewall to access a 56 K analog modem, which worked very well and slowed down only when someone downloaded large files. Before you decide to install multiple ISP dialing lines, you can set up an "IP disguised" server first. Windows does not have a very efficient way to process multiple IP addresses. However, separating a Windows network from a modem will surprise you with improved performance.

In short, the "IP disguise" method used by Linux is to hide your IP address and prevent others from seeing it on the network.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.