Use Linux Ipchains instead of Windows Wingate Blue Forest http://www.lslnet.com Zhang Zhonghua
〖
Back to〗 Forward〗
Task: The office has 10 computers, which make up a local area network. One of them is a ISDN card with a machine. It can be dial-up, and the other 9 machines are also available, and their ISDN devices are shared by the Gate machine. The original solution is that the operating system on the GATE machine is Win98, and the agent software used is WINGATE. Now, the operating system of the GATE machine is replaced with Linux, how can I get other 9 machines to access? After trying, I used IPChains's IP camouflage forwarding function to successfully did this. My configuration is: Blue Point Linux 2.0, Kernel-2.2.16, ISDN4LINUX V3.1PRE1, Shanghai Bell produced ISDN built-in card, model is SBT6021. Here is a specific practice. The order of the introduction is: the configuration of the kernel -> ipchains -> Other machines. 0, prerequisites, of course, this is the machine with the ISDN card, which has a machine called Gate, itself must be able to dial the Internet smoothly. I have done, the specific operation process writes in another article "Using ISDN Dial-Up Networking under Linux". 1. The principle of the kernel is: Since this GATE machine establishes a dial-up connection, it has a real IP address, it is possible to access the Internet normally, but other machines within the local area have no real IP address, which cannot be normal as the Gate machine. Access the Internet, the solution is the Internet access request of the Gate machine to other machines, pretend to be its own. Take this Gate machine as the gateway of the LAN, when it receives the request packet from the other machines within the local area, then forward; accordingly, when the data packet issued after the camouflage is returned, first The response packet is restored, and then the machine that truly issues the request for the back office network. This approach is called IP Masquerade (IP camouflage). To Linux kernel supports IP masquerading this function, when compiling the kernel, you must select the following options: Network firewallsIP: firewallingIP: masqueradingIP: ipportfw masq supportIP: ipautofw masquerade supportIP: ip fwmark masq-forwarding supportIP: ICMP masquerading But I do not have to rush to compile the kernel If the existing kernel already contains these options, why should I repeat it. Then how do I know if the existing kernel already contains these options? Look at the kernel compilation configuration file /usr/src/linux/.config (Note: The file name "with". "Is a hidden file. It is necessary to use LS -A to see.) I saw the following 7 lines content, corresponding to the seven options just: CONFIG_FIREWALL = y CONFIG_IP_FIREWALL = yCONFIG_IP_MASQUERADE = yCONFIG_IP_MASQUERADE_ICMP = yCONFIG_IP_MASQUERADE_IPAUTOFW = mCONFIG_IP_MASQUERADE_IPPORTFW = mCONFIG_IP_MASQUERADE_MFW = m "= y" represents the kernel directly support (code has links kernel), "= m" indicates that the module support (Credits can be loaded from kernel in the other core).
So this shows that the original kernel of the blue point Linux 2.0 has contains these options, I don't have to recompile the kernel. But still do something, first you must order the kernel, start IP forwarding function: Echo 1> / proc / sys / net / ipv4 / ip_forward / proc / sys / net / ipv4 / ip_forward write "1". Some functions such as FTP, IRC, etc. need corresponding module support, these modules are placed in the /Lib/modules/2.2.16/ipv4 directory, load them: depModprobe ip_masq_ftpmodprobe ip_masq_ircmodprobe ip_masq_raudio 2, Ipchains configuration blue dot Linux 2.0 Ipchains software is enough to meet my requirements, I don't have to install new, just configure it. Ipchains is a pack filter, powerful, and complex, but I just want to use its IP camouflage forwarding function, setting is simplified. My Linux machine is on a local area, the domain name of the local area network is Thalia.com, the address is 210.96.100.0, the host of this machine is GATE, the address is 210.96.100.10. Setting the IPChains filter and setting various chains and rules. Let's take a look at the current situation: ipchains -l gets the following information: CHAIN INPUT (Policy Accept): CHAIN OUTPUT (Policy Accept): No rules, 3 chain strategies are accepted. Since just use camouflage forwarding, only the Forward chain is operated. Ipchains -p forward deny sets the Forward chain policy to Deny and refuses. After that, increase the rules that can pass, and gradually allow more packets to pass, which is a tight practice. Ipchains -a forward -s210.96.100.0/255.255.96.100.0 -j Masq Add 1 rule, this rule description: For packets from 210.96.100.0 LAN (network mask are 255.255.255.0) (-S 210.96. 100.0 / 255.255.255.0), camouflage processing (-J Masq). At this time, look at the situation: ipchains -l gets the following information: CHAIN INPUT (Policy Deny): Target Prot Opt Source Destination Portsmasq All ------ 210.96.100.0/24 Anywhere N / achain output (policy accept): 1 Masq rule in the Forward chain. It is enough to simply implement the shared ISDN Internet. 3. Configuration of other machines Configure other WIN98, WIN2000 machines on the LAN, and the point is to set the default gateway to the Linux GATE machine, and the DNS domain name server is also set to the Linux Gate machine. Applications such as IE, OutlookExpress, etc., don't do any settings, imagine that ISDN is installed in this unit. I will set up a Win98 machine now to try.