Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ High-performance Linux system firewall detailed analysis of double-effect     - IDS Intrusion Detection System built (Linux) (Linux)

- grep command Series: grep command to search for multiple words (Linux)

- How to use the Vault secure password storage and API key (Linux)

- Several back door and log tool under Linux (Linux)

- Approach the next Linux shared interrupts (Linux)

- You must ask yourself four questions before deploying Docker (Server)

- What is the Docker (Linux)

- Java static code analysis tool Infer (Programming)

- Linux security settings Basics (Linux)

- Quick Install software RAID on Linux (Linux)

- MySQL stored procedures execute dynamic sql statement (Database)

- Efficient running Linux virtual machine Six Tips (Linux)

- Laravel 4 Expansion Pack (Server)

- How to protect your eyes automatically adjust the screen brightness on Linux (Linux)

- Mac OS X system setup Google Go language development environment configuration tool Sublime Text 2 (Linux)

- Linux file system management partition, format, mount - label mount (Linux)

- Redmine Installation (Linux)

- C # get the current screenshot (Programming)

- Implement Oracle dynamic registration of non-standard port 1521 (Database)

- Redis application of Sina Weibo (Database)

  High-performance Linux system firewall detailed analysis of double-effect
  Add Date : 2018-11-21      
  Functional Description:

WEB proxy packet filtering and double-effect one. Realized by the iptables packet filtering by the LINUX famous squid combination to achieve transparent WEB NAT proxy. SQUID proxy performance itself is already the leader in the proxy server, the system will play the extreme performance: The ramdisk technology that allows the SQUID cahce page into memory so that you visit the page, but the first need to get on the network, after all from memory! Here's how to use methods and procedures to implement the RedHat 7.2.

(1) choose a more stable computer, fitted with two network cards, 256 or 512M memory, hard drive 10G (Note: The first piece of card access network, a second network card connected to external networks.)
(2) installation of Red Hat 7.2, select the server mode installation, automatic partitioning
(3) in about 10-15 minutes after the system is installed, reboot into the system, start configuring the system

1, open the packet forwarding

Edit /etc/sysctl.conf, will net.ipv4.ip_forward = 0 This is net.ipv4.ip_forward = 1, save your changes. Its purpose is to allow the LINUX kernel IP packet forwarding to do: allow IP packets from one network interface to another through a network interface, the only way to have the system acts as a packet filtering firewall conditions.

2, activation RamDisk

Modify /etc/grub.conf

 # Boot = / dev / sda
default = 0
timeout = 10
splashimage = (hd0,0) /grub/splash.xpm.gz
title Red Hat Linux (2.4.7-10)
root (hd0,0)
kernel /vmlinuz-2.4.7-10 ro root = / dev / sda6 ramdisk = 268435
initrd /initrd-2.4.7-10.img
Ramdisk = 268435 is where we want to add the content, purpose is to tell the system default size of the ramdisk is 268435k, that is 256M. Note should never write directly to 256M, so the system is not known, it must be replaced by K the job! (Groping for several months of experience!), So set a good restart after the system automatically generates a return 256M virtual disk. Of course, you want to set the parameters according to their memory size, if you do not run XWINDOWS, provided half the total memory you no problem, because the LINUX system itself does not require a lot of memory.

3, set the parameters squid
Edit /etc/squid/squid.conf, at the end add the following entry:

 httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access allow all
cache_dir ufs / squid 256 16 256
Front four parameters enable squid proxy provider to provide transparent basis. "Http_access allow all" representation allows all client machines can access agent; special emphasis here is the last "cache_dir ufs / squid 256 16 256",

squid cache_dir default is "/ var / spool / squid", because we want squid cache contents into memory, so here is first changed / squid, next to ramdisk alluding to the / squid directory.

4, the establishment ramdisk. With the following two commands to complete:

(1) mkdir / squid create the directory "/ squid"
(2) mkfs / dev / ramdisk create a file system
(3) mount / dev / ramdisk / squid will mount the ramdisk to / squid directory.

Since the ramdisk will disappear after each restart, therefore, in order to allow the system to automatically build a good start, we can create a batch command automatically loaded ramdisk:

mkfs / dev / ramdisk
mount / dev / ramdisk / squid

These two commands in a file, we for the time being with myautoexec.bat as the file name, for convenience, we have created / admin directory, and then save the file in myautoexec.bat / admin, and add to the executable privileges : chmod + x myautoexec.bat

But this system is up and will not be called, so we have to do one thing: Edit /etc/rc.local file, insert a line in the end of the file: /admin/myautoexec.bat, so that the system will automatically call myautoexec .bat up.

5, initialization squid.
Remember "cache_dir ufs / squid 256 16 256" this parameter? Initialization process is actually squid established in the specified cache_dir specified a directory (here is 16), and then create 256 a secondary directory in each directory. The command is: "squid -z". But now the system will then enter the command reports an error because the / squid is now the owner is root, squid not have permission to operate root file, so even first / squid squid directory assigned to the user, with the "chown squid.squid / squid . " Once again, run "squid -z", it can be completed in less than one second. If this process is on disk rather than on the ramdisk, generally the work of tens of seconds.

Again, this step should also set

chown squid.squid / squid
squid -z

Wrote myautoexec.bat two commands, and finally add a "squid", it is to start the squid service process. Here, squid setup completed.

6, set up NAT and firewall rules.

For convenience, create a file / admin / myfirwall, the rules are written to the file:

 # ------ Initialization part
iptables -F
iptables -t nat -F
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
The initialization - #
# -START NAT < < < < < let address internal computer can camouflage on the Internet.
iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE
# >>>>> End NAT
# Port switch, all requests sent to the external network port is 80 to 3128 are to allow squid to deal with this
# - Of the key < < < < < < transparent proxy
iptables -t nat -A PREROUTING -i eth0 -d! -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# >>>>>>> End port switch
# Firewall rules < < < < < < < here according to your requirements to be a
iptables -A INPUT -i eth1 -s -p ICMP -j DROP
iptables -A INPUT -i eth1 -s -p TCP -port! 80 -j DROP
# The above two are all coming from the external network ping packets are all dropped, all the non-initiated by the external network port 80
# All requests are discarded, meaning that only allowed from the outside inwards network development network ping, only allows access within the network outside the network
#HTTP Service. Complete firewall rules according to your network security requirements to develop here only for reference.
Note: All lines starting with # an explanation, do not write to a file, save it as / admin / myfirewall, with "chmod + x / admin / myfirewall" so that it can perform. Edit /admin/myautoexec.bat, added "/ admin / myfirewall" in the last line.

So far, all of our good performance firewall configuration is complete, run the reboot after reboot, can work.
- 10 Nginx safety tips (Linux)
- Detailed Linux platform chip programming process (Programming)
- CentOS 6.5 / 6.6 modify the default SSH port number (Linux)
- Install the open source database PostgreSQL 9.4 and phpMyAdmin on Ubuntu (Database)
- You need to know 12 Git High Command (Linux)
- CentOS 6.4 of cron scheduled task configuration (Linux)
- Linux more efficient than select a model epoll (Linux)
- Linux Getting Started tutorial: build your own Vim (Linux)
- Using Java to build micro-services (Server)
- Security: Unix operating system intrusion tracking Strikes Back (Linux)
- How to choose the correct HTTP status code (Server)
- CentOS terminal display Chinese (Linux)
- GitHub multiplayer co-development configuration (Linux)
- Using PHP MySQL library (Programming)
- How x2g0 install Remote Desktop on Linux VPS (Server)
- Linux configuration startup mount: fstab file (Linux)
- Java recognize simple codes (Programming)
- Hibernate Performance Optimization of EHCache cache (Programming)
- MongoDB in bulk timestamp change the date format (Database)
- Linux platform Oracle MySQL connection (Database)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.