Summary
Use IPChains to build a specific method of firewall (2002-09-16 13:35:32)
By Wing, Source:
Grind
In some universities, I have started the edition of the student dormitory. When there is not much machine in the dormitory machine, IP seems to be a very rich resource, and it can be applied for one, but with the rapid growth of the machine, IP begins to appear. The shortage, this requires an IP Masquerade that requires a firewall, which only needs a real IP address to access the Internet normally. Other machines within the local area network do not need a real IP address, although it cannot be directly like the gateway machine. Access the Internet, but you can use the Internet access request from the gateway machine to other machines, pretend to be its own. Use this gateway as a gateway of the LAN, when it receives a request packet from other machines from the local area, then forwards, and then forwards it; accordingly, when the packet sent after the camouflage is returned, first The response packet is restored, and then the machine that truly issues the request for the back office network. Before you begin, you must first determine that the Linux kernel supports the IP camouflage function. When compiling the kernel, you must select the following options:
NetWork FireWalls
IP: FireWalling
IP: Masquerading
IP: IPPORTFW MASQ Support
IP: iPautofw Masquerade Support
IP: IP FWMARK MASQ-Forwarding Support
IP: ICMP Masquerading
Then you want to order the kernel to start IP forwarding features:
Echo 1> / proc / sys / net / ipv4 / ip_forward to / proc / sys / net / ipv4 / ip_forward is written in "1". Some functions such as FTP, IRC, etc., need the corresponding module support, and execute the following command to load them:
DEPMOD -A
Modprobe ip_masq_ftp
Modprobe ip_masq_irc
Modprobe ip_masq_raudio
Now IPChains settings, assuming that the IP of the gateway is 210.34.9.58, the IP of the internal network machine is 192.98.12.0. Setting the IPChains filter and setting various chains and rules. Use the following command:
Ipchains -l gets the following information:
CHAIN INPUT (Policy ACCEPT):
Chain Forward (Policy ACCEPT):
Chain Output (Policy ACCEPT):
This shows that the three chains INPUT, OUTPUT, and FORWARD are acceptable, and there is nothing special for specific chain guidance. If you have previously defined these three chains, you can refresh three chains to the most original state with Ipchains -f. The first step is needed to use commands:
Ipchains -p forward deny sets the default policy of the Forward chain to DENY, which prevents forwarding for some illegal users. Then perform the following command:
Ipchains -a forward -s 192.98.12.0/24 -j Masq increases 1 rule, this rule is for camouflage processing from the packet from 192.98.12.0 LAN, 24 is 3 8, It is to explain that the network mask is 255.255.255.0. Now do Ipchains -l see when the strategy and rules of the front chain can see the following information: CHAIN INPUT (Policy Acce):
Chain Forward (Policy Deny):
Target Prot Opt Sourcedestination Ports
Masq all ------ 192.98.12.0/24anywhere n / a
Chain Output (Policy ACCEPT):
Finally, add routing information to the Internet and to the internal network in the routing table information on the gateway machine: (assuming Eth0 connection Internet, Eth1 connection internal network, 210.34.9.251 is the gateway of the 210.34.9.0/24 network segment)
Route Add Default GW 210.34.9.251 Eth0
Route Add -Net 192.98.12.0 Netmask 255.255.255.0 Eth1
After such a configuration, the gateway as long as the internal network is designated as this gateway machine 210.34.9.58, you can access the Internet like a machine with real IP. You can make a script file rc.ipchains, the content is as follows:
DEPMOD -A
Modprobe ip_masq_ftp
Modprobe ip_masq_irc
Modprobe ip_masq_raudio
Ipchains -f
Ipchains -p INPUT ACCEPT
ipchains -p output accept accept
Ipchains -p Forward Deny
Ipchains -a forward -s 192.98.12.0/24 -j Masq
Then Chmod X rc.ipchains and start the script rc.local Add a line: /etc/rc.d/rc.ipchains can activate the firewall. Ipchains' system resource is extremely low, and we even have a system running a wrong program to occupy a large number of system resources. I found that IP forwarding is still normal. Personally feel that it is a gateway with a 486 machine, and equivalent hardware conditions Don't want to move. There is also a question is that the principle of ipchains is to forward a section of the gateway machine to a request for the internal network machine, so when all the segments are used, will it forward?
