Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ To use Linux to create a secure managed gateway     - Linux crontab commands and detailed usage examples (Linux)

- iOS used in the development --UITabBarController tag controller (Programming)

- Broadcom transplanted to OpenWrt summary (Programming)

- Linux uses the SMTP proxy to send mail (Linux)

- VMware virtual machines to install virt-manager unable to connect to libvirt's approach (Linux)

- How to set up HTTPS policies for older browsers (Server)

- To install PXE + Kickstart under CentOS 6.x operating system (Linux)

- RedHat Redis Linux installation (Database)

- CentOS 6.0 system security level (Linux)

- Configure the Linux kernel and use iptables to do port mapping (Linux)

- How to determine whether the Linux server was hacked (Linux)

- Java implementation chain store binary search tree (recursive method) (Programming)

- Mac OS X command line to submit the local project to Git (Server)

- Flask deploy applications using Nginx on Ubuntu (Server)

- Circular list of Java programming (Programming)

- Spring Integration ehcache annotation implement the query cache and cache update or delete instant (Programming)

- Linux crontab command format example (Linux)

- The user of fedora is not in the sudoers file method to solve (Linux)

- Linux Security and Optimization (Linux)

- Zabbix monitoring different versions of RAID installation and monitoring and MySQL master-slave monitor (Server)

 
         
  To use Linux to create a secure managed gateway
     
  Add Date : 2017-08-31      
         
         
         
  We first install the system gateway online we have three NICs: first NIC as eth0, IP address 212.1.1.1 public address. Second network card is eth1, IP address is 192.168.1.1.

Here we use a RedHat Linux distributions CentOS. After installation is complete, the system comes with a complete firewall system iptables. First, we build a firewall, and give it permission to execute it.

#touch /etc/rc.d/firewall

#chmod u + x /etc/rc.d/firewall

First, in order to make the client can access the Internet, our first in this file is written:

#! / Bin / sh

echo 1> / proc / sys / net / ipv4 / ip_forward

Before using iptables rules need to be clear

iptables -F

iptables -t nat -F

iptables -X

iptables -t nat -X

iptables -F -t mangle

iptables -t mangle -X

In order to effectively prevent Spoofing Attack, you can continue to add the following statement

if [-e / proc / sys / net / ipv4 / tcp_ecn]

then

echo 0> / proc / sys / net / ipv4 / tcp_ecn

fi

Next, we want to pre-built three chains of iptables

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

PORT = "80,21,110,23"

iptables -A INPUT -p tcp -m multiport --dports $ PORT -m state --state NEW -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

iptables -A INPUT -j MIRROR

iptables -P INPUT DROP

Preparatory work has been done, we will rule the corresponding network management functions to be carried out.

# Disable the host agreement prohibiting the use of p2p software 192.168.1.1/24 within this segment, refers BT download categories.

iptables -A FORWARD -m iprange --src-range 192.168.1.1-192.168.1.254 -m ipp2p --ipp2p -j DROP

# Block access to specified Web sites

iptables -A FORWARD -m domain --name "www.test.com" -j DROP

Prohibit the use of working hours QQ #

iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 8:00 --timestop 12:00 --days Mon, Tue, Wed, Thu, Fri -j DROP

iptables -A FORWARD -m layer7 --l7proto qq -m time --timestart 13:00 --timestop 17:30 --days Mon, Tue, Wed, Thu, Fri -j DROP

Special instructions layer7 use this module can be disabled now available in most of the IM tool.

# Find a client in the LAN trouble, you can use the following rule

iptables -I FORWARD -m mac --mac-source 00: 11: FF: FF: FF: FF -j DROP

Wherein 00: 11: FF: FF: FF: FF is the MAC address of the client.

# Internal network within the WEB server maps to the public network

iptables -t nat -A PREROUTING -p tcp -d 212.1.1.1 --dport 80 -j DNAT --to 192.168.1.10:80

According to the above method, we can easily put mail, FTP and other network mapping services to the public network

Furthermore we coordinate TC, to achieve the speed of each client

tc qdisc del dev eth0 root 2> / dev / null

tc qdisc add dev eth0 root handle 2: htb

tc class add dev eth0 parent 2: classid 2: 1 htb rate 1024kbit

i = 1;

while [$ i -lt 254]

do

tc class add dev eth0 parent 2: 1 classid 2: 2 $ i htb rate 1024kbit ceil 1024kbit burst 15k

tc qdisc add dev eth0 parent 2: 2 $ i handle 2 $ i: sfq

tc filter add dev eth0 parent 2: 0 protocol ip prio 4 u32 match ip dst 192.168.1 $ i flowid 2:. 2 $ i

i = `expr $ i + 1`

done

From the above script is run, if the speed of the client over 1024kbit, then it will be lowered at a rate of 15kbit.

To prevent the IP address of the LAN theft problem, we can edit the / etc / ethers file format below

IP-addr MAC-addr

After writing over, execute arp -f In this case, if the IP address and MAC address do not match, then the client can not get online, so you can effectively prevent ARP virus attacks.

Thus, a relatively secure server has been set is complete. Of course, security is a whole, do not turn over any detail, because it are likely to be a security risk.
     
         
         
         
  More:      
 
- Binary tree to the next node (Programming)
- CentOS / Linux SWAP partitions added (Linux)
- How to Check notebook CPU temperature in Ubuntu (Linux)
- Talking about the shortcomings and deficiencies of the firewall (Linux)
- Linux ACL permissions (Linux)
- Android 4.2 compilation notes (Programming)
- Eclipse installs support for Java 8 (Linux)
- Two kinds of agents of Spring AOP (Programming)
- Java object serialization and deserialization (Programming)
- Spark SQL job of a lifetime (Server)
- Linux password file security issues detailed usage (Linux)
- Linux mention the right notes (Linux)
- MySQL Installation Troubleshooting (Database)
- MySQL error: ERROR 1175: You are using safe update mode solution (Database)
- Deepin Tutorial: Depth Description Installer expert mode (Linux)
- Linux System Getting Started Learning: compile and install ixgbe driver in Ubuntu or Debian (Linux)
- Linux Change ssh port and disable remote root login at (Linux)
- Linux server Php injection prevention (Linux)
- Linux performance optimization features Tuned and ktune (Linux)
- Monitoring network traffic with Iptraf in Linux environment (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.