Shulou(Shulou.com)06/01 Report--

This article mainly explains "the detailed introduction of Linux system firewall camouflage mechanism", interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn the "Linux system firewall camouflage mechanism of the detailed introduction" bar!

Firewalls can be divided into several different levels of security. In Linux, because there are many different firewall software to choose from, security can be low or high, and the most complex software can provide almost impermeable protection. However, the Linux core itself has a simple mechanism called "camouflage" that can withstand most attacks except for the most specialized hacker attacks.

When we dial up to connect to Internet, our computer is assigned an IP address that allows other people on the network to send back information to our computer. Hackers use your IP to access data on your computer. The "IP camouflage" method used by Linux is to hide your IP from others on the Internet. Several sets of IP addresses are specifically reserved for use in the local network and are not recognized by Internet backbone routers. For example, the IP of the author's computer is 192.168.1.127, but if you type this address into your browser, you will receive nothing, because the Internet backbone does not recognize the 192.168.X.X set of IP. There are countless computers on other Intranet that use the same IP, and since you can't access it at all, you certainly can't hack or crack it.

So, it seems like a simple task to solve the security problem on Internet. Just choose an IP address for your computer that no one else can access, and everything will be solved. Wrong! Because when you browse Internet, you also need the server to send the data back to you, otherwise you can't see anything on the screen, and the server can only send the data back to the legitimate IP address registered on the Internet backbone.

IP camouflage is the technology used to solve this dilemma. When you have a computer with Linux installed and set to use "IP camouflage", it will bridge the two internal and external networks and automatically interpret IP addresses from the inside out or from the outside to the in. this action is usually called network address translation.

The actual "IP camouflage" is a little more complicated than the one mentioned above. Basically, the "IP camouflage" server is set up between two networks. If you use an analog dial-up modem to access data on the Internet, this is one of the networks; your internal network usually corresponds to an Ethernet card, which is the second network. If you are using a DSL modem or cable modem (CableModem), there will be a second Ethernet card in the system instead of an analog modem. Linux can manage every IP address of these networks, so if you have a computer with windows (IP 192.168.1.25) on the second network (Etherneteth2), when you want to access the cable modem (207.176.253.15) located on Internet (Etherneteth0), Linux's "IP camouflage" will block all TCP/IP packets sent from your browser. Extract the original local address (192.168.1.25) and replace it with the real address (207.176.253.15). Then, when the server sends back data to 207.176.253.15, Linux automatically intercepts the backhaul packet and returns the correct local address (192.168.1.25).

Linux can manage several local computers (such as 192.168.1.25 and 192.168.1.34 in Linux's "IP camouflage" diagram) and process each packet without confusion. The author has an old 486 computer installed with SlackWareLinux, which can process packets sent by four computers to cable modems at the same time without reducing the speed.

Prior to the core of the second edition, "IP camouflage" was managed by the IP send Management Module (IPFWADM,IPfwadm). Although the second version core provides faster and more complex IPCHAINS, it still provides IPFWADMwrapper for backward compatibility, so in this article, the author will use IPFWADM as an example to explain how to set "IP camouflage".

In addition, some applications, such as non-standard packets used by RealAudio and CU-SeeME, require special modules, and you can also get information from the above sites.

okay! Your system's "IP camouflage" should now work properly. If you want more detailed information, you can refer to the HOWTO mentioned above.

Over the past six months, the price of 56K analog data cards has suddenly dropped a lot. However, most of the new data cards actually remove the control microprocessors from the board, thus placing an additional load on the main CPU of the system, and Linux does not support these "WinModem" cards. Although Linux core masters still have the ability to write drivers for WinModem cards, they also understand that it is absolutely unwise to have an impact on system performance in order to save $10.

Please make sure that the modem card you are using has jump feet to configure COM1, COM2, COM3 and COM4, so that these data cards can work properly under Linux. You can find a complete list of Linux-compatible data cards.

When the author was writing this article, he spent some time testing various data cards. Linux supports plug and play devices, so I bought a jump-free data card made by Amjet and found another troubling problem.

The PC the author tested was an old 486, using the 1994 version of AMIBIOS. After plugging in this plug-and-play data card, the computer will not be able to boot, and the screen shows "main hard disk failure" (Primaryharddiskfailure). After inspection, it was found that the plug and play BIOS unexpectedly allocated the No. 15 interrupt that should have been reserved for the hard disk controller to the data card. In the end, the author gave up using plug-and-play products on old computers because it was not worth the time. Therefore, please pay attention to see if there is a jump from COM1 to COM4 before purchasing a data card.

On the author's bulletin board, I saw several friends asking if multiple dialing lines could be used to improve the Internet speed of Internet. The best example here is 128KISDN, which uses two 56K channels simultaneously to achieve a speed of 128K. When ISP provides such a service, it actually configures two separate lines to connect to the same IP.

As you can see, although there are modules such as EQL on Linux that allow you to use two data cards on your computer at the same time, unless ISP provides the same IP for both sets of dial-up connections, these two data cards are only helpful for sending data.

If you dial a normal ISPPPP line, you will get an IP address, and packets sent back from the server will find you in millions of computers; and each time you dial into ISP, you will get a different IP address.

The packet sent by your browser also contains a local IP address for the server to send back. EQL can distribute these outgoing packets to different ISP lines, but when the data is sent back, it can only be received through an IP address, the address that the browser thinks is in use. If ISDN is used, ISP will deal with this problem; some ISP will provide the corresponding IP address for dial-up access of multiple groups of lines, but it is very expensive.

In the pursuit of speed, do not ignore the efficiency of the Linux firewall. Six users in the author's office access a 56K analog modem through the "IP camouflage" firewall, which works so well that it slows down only when someone downloads large files. Before you decide to install multiple ISP dial lines, you can try to set up a "IP camouflage" server. The way windows handles multiple IP is not very efficient, and you will be surprised by the performance improvement that separates the Windows network from the modem.

In short, the "IP camouflage" method used by Linux is to hide your IP from others on the Internet.

At this point, I believe that everyone on the "Linux system firewall camouflage mechanism of the detailed introduction" have a deeper understanding, might as well to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.