Use Linux Ipchains instead of Windows Wingate
Zhang Zhonghua (Mike_Z@21cn.com), 2000.12.02 Task: The office has 10 computers, which make up a local area network. One of them has a ISDN card with a machine, which can be dial-up, and the other 9 machines are also available. Gate machine makes a proxy or gateway, sharing its ISDN device. The original solution is that the operating system on the GATE machine is Win98, and the agent software used is WINGATE. Now, the operating system of the GATE machine is replaced with Linux, how can I get other 9 machines to access? After trying, I used IPChains's IP camouflage forwarding function to successfully did this. My configuration is: Blue Point Linux 2.0, Kernel-2.2.16, ISDN4LINUX V3.1PRE1, Shanghai Bell produced ISDN built-in card, model is SBT6021. Here is a specific practice. The order of the introduction is: the configuration of the kernel -> ipchains -> Other machines. 0, prerequisites, of course, this is the machine with the ISDN card, which has a machine called Gate, itself must be able to dial the Internet smoothly. I have done, the specific operation process writes in another article "Using ISDN Dial-Up Networking under Linux". 1. The principle of the kernel is: Access the Internet, the solution is the Internet access request of the Gate machine to other machines, pretend to be its own. Take this Gate machine as the gateway of the LAN, when it receives the request packet from the other machines within the local area, then forward; accordingly, when the data packet issued after the camouflage is returned, first The response packet is restored, and then the machine that truly issues the request for the back office network. This approach is called IP Masquerade (IP camouflage). To Linux kernel supports IP masquerading this function, when compiling the kernel, you must select the following options: Network firewallsIP: firewallingIP: masqueradingIP: ipportfw masq supportIP: ipautofw masquerade supportIP: ip fwmark masq-forwarding supportIP: ICMP masquerading But I do not have to rush to compile the kernel If the existing kernel already contains these options, why should I repeat it. Then how do I know if the existing kernel already contains these options? Looking at the kernel compilation profile /usr/src/linux/.config (Note: The file name "with". "Is a hidden file, you have to use LS -A to see.
) I see that there is content below this line 7, seven options corresponding to the just: CONFIG_FIREWALL = y CONFIG_IP_FIREWALL = yCONFIG_IP_MASQUERADE = yCONFIG_IP_MASQUERADE_ICMP = yCONFIG_IP_MASQUERADE_IPAUTOFW = mCONFIG_IP_MASQUERADE_IPPORTFW = mCONFIG_IP_MASQUERADE_MFW = m "= y" represent the core direct support (kernel code has been links Middle), "= m" represents module support (code can be loaded by kernel in additional kernel). So this shows that the original kernel of the blue point Linux 2.0 has contains these options, I don't have to recompile the kernel. But still do something, first you must order the kernel, start IP forwarding function: Echo 1> / proc / sys / net / ipv4 / ip_forward / proc / sys / net / ipv4 / ip_forward write "1". Some functions such as ftp, IRC, etc., requires corresponding module support, these modules are placed in /lib/modules/2.2.16/ipv4 directory: DepModProbe ip_masq_ftpmodprobe ip_masq_ircmodprobe ip_masq_raudio2, ipchains Configuration Blue Dot Linux 2.0 The IPchains software included is enough to meet my requirements, I don't have to install new, just configure it. Ipchains is a pack filter, powerful, and complex, but I just want to use its IP camouflage forwarding function, setting is simplified. My Linux machine is on a local area, the domain name of the local area network is Thalia.com, the address is 210.96.100.0, the host of this machine is GATE, the address is 210.96.100.10. Setting the IPChains filter and setting various chains and rules. Let's take a look at the current situation: ipchains -l gets the following information: CHAIN INPUT (Policy Accept): CHAIN OUTPUT (Policy Accept): No rules, 3 chain strategies are accepted. Since just use camouflage forwarding, only the Forward chain is operated. Ipchains -p forward deny sets the Forward chain policy to Deny and refuses. After that, increase the rules that can pass, and gradually allow more packets to pass, which is a tight practice. Ipchains -a forward -s210.96.100.0/255.255.96.100.0 -j Masq Add 1 rule, this rule description: For packets from 210.96.100.0 LAN (network mask are 255.255.255.0) (-S 210.96. 100.0 / 255.255.255.0), camouflage processing (-J Masq).
At this time, look at the situation: ipchains -l gets the following information: CHAIN INPUT (Policy Deny): Target Prot Opt Source Destination Portsmasq All ------ 210.96.100.0/24 Anywhere N / achain output (policy accept): 1 Masq rule in the Forward chain. It is enough to simply implement the shared ISDN Internet. 3. Configuration of other machines Configure other WIN98, WIN2000 machines on the LAN, and the point is to set the default gateway to the Linux GATE machine, and the DNS domain name server is also set to the Linux Gate machine. Applications such as IE, OutlookExpress, etc., don't do any settings, imagine that ISDN is installed in this unit. I will set up a Win98 machine now to try. (1) Under "Control Panel | Network | Configuration", select "TCP / IP-> 3com PCI Ethernet Adapter" (this machine is 3COM NIC), click the "Properties" button, pop up the TCP / IP Properties dialog box . (2) In the IP Address page, specify the IP address, the IP address is 210.96.100.14, the subnet mask is 255.255.255.0; to the Gateway page, add the new gateway 210.96.100.10. (3) The machine restarts. (4) Open IE, browse http://168.160.224.103 (ie Sina.com Sina.com.cn), saw Sina's home page; but browsing http://www.sina.com.cn, but not. This is the problem of domain name resolution. (5) Repeat (1) step, pop up the TCP / IP Properties dialog box, to the DNS Configuration page, enable DNS, host name to write zZh, add DNS server search order 210.96.100.10. The machine restarts. Open IE, navigate again http://www.sina.com.cn, this time is good. 4. Forming the shell file to the kernel and ipchains configuration is performed by command, all successfully passed, and now write them into a shell file. / Etc / ppp / ip-masq-start file follows: # IP masqecho 1> / proc / sys / net / ipv4 / ip_forwarddepmod -amodprobe ip_masq_ftpmodprobe ip_masq_ircmodprobe ip_masq_raudioipchains -P forward DENYipchains -A forward -s 210.96.100.0/255.255.255.0 -j Masq makes it an executable: CHMOD A X / ETC / PPP / IP-Masq-Start is simple. To turn on the IP camouflage forwarding function, the command / etc / ppp / ip-masq-start. Reference: Huang Zhiwei, IP Masquerade HOWTO Chinese version, http://www.linux.org.tw/cldp/gb/ip-masquerade-howto.htmlhttp: //zzh-cn.com related file download
IP camouflage forwarding start: / etc / ppp / ip-masQ-start