Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ High-performance Linux system firewall detailed analysis of double-effect     - Proper use Core Data multithreaded 3 ways (Programming)

- FPM quickly create packages with RPM (Linux)

- IO reference Docker container (Server)

- Use the TC flow control test under Linux (Linux)

- What have we learn from the front-end application Nodejs (Programming)

- Linux memory management (Linux)

- Linux Hard Disk Partition and file system management (Linux)

- HTTP Client Hints Introduction (Server)

- Ceph distributed storage system is installed on a CentOS 7.1 (Server)

- Linux system performance and usage activity monitoring tools -Sysstat (Linux)

- Oracle inverted reverse function (Database)

- Linux file system (inode and block) (Linux)

- Use in Linux ipmitool tool (Linux)

- RHEL5 / 6 Installation Notes (Linux)

- JavaScript in this usage (Programming)

- Install the Solaris 10 operating system environment over the network to sparc (Linux)

- Security Configuration SQL Server 2000 database tutorial (Linux)

- Struts2 form of non-use component tags (Programming)

- Install Apache streaming media services on CentOS 6.4 (Server)

- CentOS7 complete step to install Hadoop2.7 (Server)

 
         
  High-performance Linux system firewall detailed analysis of double-effect
     
  Add Date : 2018-11-21      
         
       
         
  Functional Description:

WEB proxy packet filtering and double-effect one. Realized by the iptables packet filtering by the LINUX famous squid combination to achieve transparent WEB NAT proxy. SQUID proxy performance itself is already the leader in the proxy server, the system will play the extreme performance: The ramdisk technology that allows the SQUID cahce page into memory so that you visit the page, but the first need to get on the network, after all from memory! Here's how to use methods and procedures to implement the RedHat 7.2.

(1) choose a more stable computer, fitted with two network cards, 256 or 512M memory, hard drive 10G (Note: The first piece of card access network, a second network card connected to external networks.)
(2) installation of Red Hat 7.2, select the server mode installation, automatic partitioning
(3) in about 10-15 minutes after the system is installed, reboot into the system, start configuring the system

1, open the packet forwarding

Edit /etc/sysctl.conf, will net.ipv4.ip_forward = 0 This is net.ipv4.ip_forward = 1, save your changes. Its purpose is to allow the LINUX kernel IP packet forwarding to do: allow IP packets from one network interface to another through a network interface, the only way to have the system acts as a packet filtering firewall conditions.

2, activation RamDisk

Modify /etc/grub.conf

 # Boot = / dev / sda
default = 0
timeout = 10
splashimage = (hd0,0) /grub/splash.xpm.gz
title Red Hat Linux (2.4.7-10)
root (hd0,0)
kernel /vmlinuz-2.4.7-10 ro root = / dev / sda6 ramdisk = 268435
initrd /initrd-2.4.7-10.img
Ramdisk = 268435 is where we want to add the content, purpose is to tell the system default size of the ramdisk is 268435k, that is 256M. Note should never write directly to 256M, so the system is not known, it must be replaced by K the job! (Groping for several months of experience!), So set a good restart after the system automatically generates a return 256M virtual disk. Of course, you want to set the parameters according to their memory size, if you do not run XWINDOWS, provided half the total memory you no problem, because the LINUX system itself does not require a lot of memory.

3, set the parameters squid
Edit /etc/squid/squid.conf, at the end add the following entry:

 httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access allow all
cache_dir ufs / squid 256 16 256
Front four parameters enable squid proxy provider to provide transparent basis. "Http_access allow all" representation allows all client machines can access agent; special emphasis here is the last "cache_dir ufs / squid 256 16 256",

squid cache_dir default is "/ var / spool / squid", because we want squid cache contents into memory, so here is first changed / squid, next to ramdisk alluding to the / squid directory.

4, the establishment ramdisk. With the following two commands to complete:

(1) mkdir / squid create the directory "/ squid"
(2) mkfs / dev / ramdisk create a file system
(3) mount / dev / ramdisk / squid will mount the ramdisk to / squid directory.

Since the ramdisk will disappear after each restart, therefore, in order to allow the system to automatically build a good start, we can create a batch command automatically loaded ramdisk:

mkfs / dev / ramdisk
mount / dev / ramdisk / squid

These two commands in a file, we for the time being with myautoexec.bat as the file name, for convenience, we have created / admin directory, and then save the file in myautoexec.bat / admin, and add to the executable privileges : chmod + x myautoexec.bat

But this system is up and will not be called, so we have to do one thing: Edit /etc/rc.local file, insert a line in the end of the file: /admin/myautoexec.bat, so that the system will automatically call myautoexec .bat up.

5, initialization squid.
Remember "cache_dir ufs / squid 256 16 256" this parameter? Initialization process is actually squid established in the specified cache_dir specified a directory (here is 16), and then create 256 a secondary directory in each directory. The command is: "squid -z". But now the system will then enter the command reports an error because the / squid is now the owner is root, squid not have permission to operate root file, so even first / squid squid directory assigned to the user, with the "chown squid.squid / squid . " Once again, run "squid -z", it can be completed in less than one second. If this process is on disk rather than on the ramdisk, generally the work of tens of seconds.

Again, this step should also set

chown squid.squid / squid
squid -z

Wrote myautoexec.bat two commands, and finally add a "squid", it is to start the squid service process. Here, squid setup completed.

6, set up NAT and firewall rules.

For convenience, create a file / admin / myfirwall, the rules are written to the file:

 # ------ Initialization part
iptables -F
iptables -t nat -F
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
The initialization - #
# -START NAT < < < < < let address internal computer 10.27.0.0/16 can camouflage on the Internet.
iptables -t nat -A POSTROUTING -o eth1 -s 10.3.37.0/24 -j MASQUERADE
# >>>>> End NAT
# Port switch, all requests sent to the external network port is 80 to 3128 are to allow squid to deal with this
# - Of the key < < < < < < transparent proxy
iptables -t nat -A PREROUTING -i eth0 -d! 10.27.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# >>>>>>> End port switch
# Firewall rules < < < < < < < here according to your requirements to be a
iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p ICMP -j DROP
iptables -A INPUT -i eth1 -s 0.0.0.0/0 -p TCP -port! 80 -j DROP
# The above two are all coming from the external network ping packets are all dropped, all the non-initiated by the external network port 80
# All requests are discarded, meaning that only allowed from the outside inwards network development network ping, only allows access within the network outside the network
#HTTP Service. Complete firewall rules according to your network security requirements to develop here only for reference.
Note: All lines starting with # an explanation, do not write to a file, save it as / admin / myfirewall, with "chmod + x / admin / myfirewall" so that it can perform. Edit /admin/myautoexec.bat, added "/ admin / myfirewall" in the last line.

So far, all of our good performance firewall configuration is complete, run the reboot after reboot, can work.
     
         
       
         
  More:      
 
- Linux iptables firewall and vsftpd to resolve the issue (Linux)
- 10 Linux in the passwd command examples (Linux)
- Ubuntu 14.10 / 14.04 / 12.04 installation GNOME Pie 0.5.6 (Linux)
- Linux filtration empty file command summary (Linux)
- Linux / CentOS 7.0 installation and configuration under Tomcat 8.0 (Server)
- Nginx version of helloworld (Server)
- Linux common commands MEMO (Linux)
- Configuring LIDS build Linux kernel security intrusion detection system (Linux)
- Ubuntu 14.04 LTS to compile the source code Android4.4.2 (Linux)
- Java rewrite equals method (Programming)
- Java memory-mapped file MappedByteBuffer (Programming)
- RHEL 7.1 compile and install Ganglia 3.7.1 (Server)
- Ubuntu 14.10 users to install Audio Recorder 1.5.7 (Linux)
- MongoDB Installation under CentOS 6.6 (Database)
- Summary Linux operating system some tips to prevent attacks (Linux)
- Efficient Linux Shell - Shell special characters Summary (Linux)
- Calling Qt libraries to implement functional processes of some summary (Programming)
- C ++ inheritance and derived (induction principle) (Programming)
- xCAT install and update software (Linux)
- ARM Linux system call (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.