Use Linux to build a secure managed gateway

Article Title: Use Linux to build a secure management gateway. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

First, install the Gateway system. on the Internet, we have three NICs: The first Nic is eth0 and the IP address is 212.1.1.1. The second Nic is eth1 and the IP address is 192.168.1.1.

Here we use CentOS, a Linux release version of redhat. After the installation is complete, the system comes with a complete firewall system iptables. First, we create a firewall and grant it the execution permission.

# Touch/etc/rc. d/firewall

# Chmod u + x/etc/rc. d/firewall

First, in order to enable the client to access the internet normally, we first write in this file:

#! /Bin/sh

Echo 1>/proc/sys/net/ipv4/ip_forward

Before using iptables, clear the rules of iptables.

Iptables-F

Iptables-t nat-F

Iptables-X

Iptables-t nat-X

Iptables-F-t mangle

Iptables-t mangle? X

To effectively prevent Spoofing Attack, you can add the following statement

If [-e/proc/sys/net/ipv4/tcp_ecn]

Then

Echo 0>/proc/sys/net/ipv4/tcp_ecn

Fi

Next, we will prefabricate the three built-in links of iptables.

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

Iptables-a input-I lo-j ACCEPT

Iptables-a input-I eth0-j ACCEPT

PORT = "80, 21"

Iptables-a input-p tcp-m multiport -- dports $ PORT-m state -- state NEW-j ACCEPT

Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT

Iptables-a input-j MIRROR

Iptables-P INPUT DROP

The preparations in the early stage have been completed. we will implement the corresponding rules for the network management function.

# If the host in the 192.168.1.1/24 segment is disabled, the p2p software is prohibited.

Iptables-a forward-m iprange -- src-range 192.168.1.1-192.168.1.254-m ipp2p -- ipp2p-j DROP

# Shielding access to a specified website

Iptables-a forward-m domain -- name "www.test.com"-j DROP

# Do not use QQ during work hours

Iptables-a forward-m layer7 -- l7proto qq-m time -- timestart 8:00 -- timestop 12:00 -- days Mon, Tue, Wed, Thu, Fri-j DROP

Iptables-a forward-m layer7 -- l7proto qq-m time -- timestart -- timestop -- days Mon, Tue, Wed, Thu, Fri-j DROP

Note that using the layer7 module can prohibit most IM tools on the market.

# The following rules can be used to find a client in a LAN.

Iptables-I FORWARD-m mac -- mac-source 00: 11: FF-j DROP

Here, 00: 11: FF is the MAC address of the client.

# Ing WEB servers in the intranet to the Internet

Iptables-t nat-a prerouting-p tcp? D 212.1.1.1 -- dport 80-j DNAT -- to 192.168.1.10: 80

According to the above method, it is not difficult to map intranet services such as mail and FTP to the public network.

Furthermore, we work with TC to speed up each client.

Tc qdisc del dev eth0 root 2>/dev/null

Tc qdisc add dev eth0 root handle 2: htb

Tc class add dev eth0 parent 2: classid 2:1 htb rate 1024 kbit

I = 1;

While [$ I-lt 254]

Do

Tc class add dev eth0 parent 2:1 classid $ I htb rate 1024 kbit ceil 1024 kbit burst 15 k

Tc qdisc add dev eth0 parent 2 $ I handle 2 $ I: sfq

Tc filter add dev eth0 parent 2: 0 protocol ip prio 4 u32 match ip dst 192.168.1. $ I flowid 2: 2 $ I

I = 'expr $ I + 1'

Done

From the above script, if the client speed exceeds 1024 kbit, it will be lowered at the 15kbit speed.

To prevent IP address theft in the LAN, you can edit the format below the/etc/ethers file.

IP-addr MAC-addr

After writing, run arp? F. If the IP address does not match the MAC address, the client will not be able to access the Internet, which can effectively prevent ARP attacks.

In this way, a relatively secure server has been set up. Of course, security is a whole. do not change any details, because it may be a security risk.