Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ High-performance Linux system firewall detailed analysis of double-effect     - Several Methods of SSH Auto - login (Linux)

- Snapshot DataGuard (Database)

- Each catalog Detailed Linux (Linux)

- Java collections series (Programming)

- Oracle 11g How dataguard master repository to Oracle single instance data recovery (Database)

- Applications in Objective-C runtime mechanism (Programming)

- XtraBackup achieve non-stop use of master-slave synchronization service (Database)

- Go Languages Reviews (Programming)

- Java reflection mechanism explained in detail and Method.invoke explanation (Programming)

- Django url () function Detailed (Programming)

- OpenJDK7 source compiler installation on CentOS 6.5 (Linux)

- Experience CoreCLR stack unwinding characteristics of initial implementation on Linux / Mac (Linux)

- Windows7 system using Vagrant to build Linux virtualized development environment (Linux)

- Impact test noatime Linux file access time (Linux)

- Use a soft Raid play multiple SSD hard drive performance and enhance data security (Linux)

- pscp use Detailed Windows and Linux each file transfer tool (Linux)

- Oracle 12c users create (Database)

- Source Analysis: Java object memory allocation (Programming)

- A drop datafile Oracle bug (Database)

- Apple Mac computer to install Windows 10 Concise Guide (Linux)

  High-performance Linux system firewall detailed analysis of double-effect
  Add Date : 2018-11-21      
  Functional Description:

WEB proxy packet filtering and double-effect one. Realized by the iptables packet filtering by the LINUX famous squid combination to achieve transparent WEB NAT proxy. SQUID proxy performance itself is already the leader in the proxy server, the system will play the extreme performance: The ramdisk technology that allows the SQUID cahce page into memory so that you visit the page, but the first need to get on the network, after all from memory! Here's how to use methods and procedures to implement the RedHat 7.2.

(1) choose a more stable computer, fitted with two network cards, 256 or 512M memory, hard drive 10G (Note: The first piece of card access network, a second network card connected to external networks.)
(2) installation of Red Hat 7.2, select the server mode installation, automatic partitioning
(3) in about 10-15 minutes after the system is installed, reboot into the system, start configuring the system

1, open the packet forwarding

Edit /etc/sysctl.conf, will net.ipv4.ip_forward = 0 This is net.ipv4.ip_forward = 1, save your changes. Its purpose is to allow the LINUX kernel IP packet forwarding to do: allow IP packets from one network interface to another through a network interface, the only way to have the system acts as a packet filtering firewall conditions.

2, activation RamDisk

Modify /etc/grub.conf

 # Boot = / dev / sda
default = 0
timeout = 10
splashimage = (hd0,0) /grub/splash.xpm.gz
title Red Hat Linux (2.4.7-10)
root (hd0,0)
kernel /vmlinuz-2.4.7-10 ro root = / dev / sda6 ramdisk = 268435
initrd /initrd-2.4.7-10.img
Ramdisk = 268435 is where we want to add the content, purpose is to tell the system default size of the ramdisk is 268435k, that is 256M. Note should never write directly to 256M, so the system is not known, it must be replaced by K the job! (Groping for several months of experience!), So set a good restart after the system automatically generates a return 256M virtual disk. Of course, you want to set the parameters according to their memory size, if you do not run XWINDOWS, provided half the total memory you no problem, because the LINUX system itself does not require a lot of memory.

3, set the parameters squid
Edit /etc/squid/squid.conf, at the end add the following entry:

 httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_access allow all
cache_dir ufs / squid 256 16 256
Front four parameters enable squid proxy provider to provide transparent basis. "Http_access allow all" representation allows all client machines can access agent; special emphasis here is the last "cache_dir ufs / squid 256 16 256",

squid cache_dir default is "/ var / spool / squid", because we want squid cache contents into memory, so here is first changed / squid, next to ramdisk alluding to the / squid directory.

4, the establishment ramdisk. With the following two commands to complete:

(1) mkdir / squid create the directory "/ squid"
(2) mkfs / dev / ramdisk create a file system
(3) mount / dev / ramdisk / squid will mount the ramdisk to / squid directory.

Since the ramdisk will disappear after each restart, therefore, in order to allow the system to automatically build a good start, we can create a batch command automatically loaded ramdisk:

mkfs / dev / ramdisk
mount / dev / ramdisk / squid

These two commands in a file, we for the time being with myautoexec.bat as the file name, for convenience, we have created / admin directory, and then save the file in myautoexec.bat / admin, and add to the executable privileges : chmod + x myautoexec.bat

But this system is up and will not be called, so we have to do one thing: Edit /etc/rc.local file, insert a line in the end of the file: /admin/myautoexec.bat, so that the system will automatically call myautoexec .bat up.

5, initialization squid.
Remember "cache_dir ufs / squid 256 16 256" this parameter? Initialization process is actually squid established in the specified cache_dir specified a directory (here is 16), and then create 256 a secondary directory in each directory. The command is: "squid -z". But now the system will then enter the command reports an error because the / squid is now the owner is root, squid not have permission to operate root file, so even first / squid squid directory assigned to the user, with the "chown squid.squid / squid . " Once again, run "squid -z", it can be completed in less than one second. If this process is on disk rather than on the ramdisk, generally the work of tens of seconds.

Again, this step should also set

chown squid.squid / squid
squid -z

Wrote myautoexec.bat two commands, and finally add a "squid", it is to start the squid service process. Here, squid setup completed.

6, set up NAT and firewall rules.

For convenience, create a file / admin / myfirwall, the rules are written to the file:

 # ------ Initialization part
iptables -F
iptables -t nat -F
modprobe ip_tables
modprobe iptable_nat
modprobe iptable_filter
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state
The initialization - #
# -START NAT < < < < < let address internal computer can camouflage on the Internet.
iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE
# >>>>> End NAT
# Port switch, all requests sent to the external network port is 80 to 3128 are to allow squid to deal with this
# - Of the key < < < < < < transparent proxy
iptables -t nat -A PREROUTING -i eth0 -d! -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# >>>>>>> End port switch
# Firewall rules < < < < < < < here according to your requirements to be a
iptables -A INPUT -i eth1 -s -p ICMP -j DROP
iptables -A INPUT -i eth1 -s -p TCP -port! 80 -j DROP
# The above two are all coming from the external network ping packets are all dropped, all the non-initiated by the external network port 80
# All requests are discarded, meaning that only allowed from the outside inwards network development network ping, only allows access within the network outside the network
#HTTP Service. Complete firewall rules according to your network security requirements to develop here only for reference.
Note: All lines starting with # an explanation, do not write to a file, save it as / admin / myfirewall, with "chmod + x / admin / myfirewall" so that it can perform. Edit /admin/myautoexec.bat, added "/ admin / myfirewall" in the last line.

So far, all of our good performance firewall configuration is complete, run the reboot after reboot, can work.
- Redis logging system (Database)
- ImportTsv-HBase data import tool (Database)
- RedHat Linux 6.4 install Oracle 10g error (Database)
- systemctl Command Complete Guide (Linux)
- Debian 7.7 Installation and Configuration (Linux)
- MySQL display operation control tips (Database)
- Using monitoring tool dsniff (Linux)
- MySQL management partition table (Database)
- CentOS yum install LNMP PHP5.4 version (Server)
- Node.js installed on Ubuntu Upstream version (Linux)
- CentOS 6.5 can not connect to the network under VMware (Linux)
- Elasticsearch Kibana installation notes (Linux)
- Cool Android realization SVG animation (Programming)
- How to install Wine 1.7.20 under Ubuntu or Linux Mint (Linux)
- Linux operating system security tools of the Logs (Linux)
- Linux installed Cisco Packet Tracer (Linux)
- To install Docker under CentOS7 (Linux)
- Timing Nginx logs cut and remove the log records of the specified number of days before (Server)
- Ubuntu install code editor Sublime Text 3 (Linux)
- Docker in the development and practice of IFTTT (Server)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.