Using Linux System IP Masquerading Against Hacker Attacks

Firewalls can be divided into several different levels of security. In Linux, because there are many different firewall software to choose from, security can be low or high, and the most complex software provides almost impenetrable protection. However, the Linux kernel itself has a built-in simple mechanism called "disguise" that, in addition to the most specialized hacking attacks, can withstand most attacks.

When we dial up to the Internet, our computer will be assigned an IP address that allows others on the network to return data to our computer. Hackers use your IP to access data on your computer. The "IP camouflage" method used by Linux is to hide your IP and not let others on the network see it. There are several sets of IP addresses that are reserved for use by the local network. Internet backbone routers are not recognized. The IP of the author computer is 192.168.1.127, but if you enter this address into your browser, I believe that nothing can be received. This is because the Internet backbone does not recognize the IP of 192.168.X.X. There are countless computers on other intranets, and they use the same IP. Since you can't access them at all, you can't invade or crack them.

So, solving the security problem on the Internet seems to be a simple matter. Just choose an IP address that your other computer cannot access for your computer, and everything will be solved. wrong! Because when you browse the Internet, you also need the server to return the data to you, otherwise you can't see anything on the screen, and the server can only return the data to the legal IP address registered on the Internet backbone.

"IP camouflage" is the technology used to solve this dilemma. When you have a computer with Linux installed and you want to use "IP masquerading", it will bridge the internal and external networks and automatically interpret the IP addresses from inside to outside or from outside to inside. Usually this action Called network address translation.

The actual "IP camouflage" is more complicated than the above. Basically, an "IP masquerading" server is placed between two networks. If you use an analog dial-up modem to access data on the Internet, this is one of the networks; your internal network usually corresponds to an Ethernet card, which is the second network. If you are using a DSL modem or Cable Modem, there will be a second Ethernet card in the system instead of an analog modem. Linux can manage every IP address of these networks, so if you have a computer with Windows installed (IP is 192.168.1.25) and you are on the second network (Ethernet eth1), you need to access the Internet (Ethernet eth0). On the cable modem (207.176.253.15), Linux "IP masquerading" will intercept all TCP/IP packets sent from your browser, extract the original local address (192.168.1.25), and then true Address (207.176.253.15) replaced. Then, when the server returns the data to 207.176.253.15, Linux will also automatically intercept the return packet and fill in the correct local address (192.168.1.25).

Linux can manage several local computers (such as 192.168.1.25 and 192.168.1.34 in the "IP masquerading" diagram of Linux) and process each packet without confusion. The author has an old 486 computer with SlackWare Linux that can handle packets sent by four computers to the cable modem at the same time, without slowing down.

Prior to the second edition of the core, "IP masquerading" was managed by the IP Transmit Management Module (IPFWADM, IP fw adm). Although the second version of the core provides faster and more complex IPCHAINS, it still provides IPFWADM wrapper to maintain backward compatibility. Therefore, in this article, the author will use IPFWADM as an example to explain how to set up "IP camouflage". .

In addition, some applications, such as the non-standard packages used by RealAudio and CU-SeeME, require special modules, and you can also get relevant information from the above websites.

The author's server has two Ethernet cards, which are set to eth0 and eth1 during core activation. Both cards are SN2000-style ISA-compliant cards without a jumper, and most Linux recognize these two cards. The author's Ethernet initialization procedure is set in rc.inet1 with the following command:

IPADDR="207.175.253.15"

#Change to the IP address of your cable modem.

NETMASK="255.255.255.0"

#Change to your network shield.

NETWORK="207.175.253.0"

#Change to your network address.

BROADCAST="207.175.253.255"

#Change to your broadcast address.

GATEWAY="207.175.253.254"

#Change to your gateway address.

#Use the above macro to set your cable modem Ethernet card

/sbin/ifconfig eth0 ${IPADDR} broadcast $ {BROADCAST} netmask ${NETMASK}

#Set IP routing table

/sbin/route add -net ${NETWORK} netmask $ {NETMASK} eth0

#Set intranet Ethernet card eth1, do not use macros

/sbin/ifconfig eth1 192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0

/sbin/route add -net 192.168.1.0 netmask 255.255.255.0 eth1

# Then set IP fw adm initialization

/sbin/ipfwadm -F -p deny #Refuse access outside of the following locations#Open the transfer request from 192.168.1.X

/sbin /ipfwadm -F -am -S 192.168.1.0/24 -D 0.0.0.0/0

/sbin/ipfwadm -M -s 600 30 120

That's it! Your system's "IP masquerading" should now work fine. If you want more detailed information, you can refer to the HOWTO mentioned above, or to the MINI HOWTO at http://albali.aquanet.com.br/howtos/Bridge+Firewall-4.html. In addition, for more secure firewall technologies, you can find the information in ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO.

In the past six months, the price of the 56K analog data card has suddenly dropped a lot. However, most new data cards actually remove the control microprocessor on the board, thus putting extra load on the system's main CPU, and Linux does not support these "WinModem" cards. Although Linux core experts still have the ability to write drivers for WinModem cards, they also understand that it is definitely not wise to affect system performance in order to save $10.

Please make sure that the Modem card you are using has jumpers that can be used to set COM1, COM2, COM3 and COM4. In this way, these data cards can work normally under Linux. A complete list of Linux-compatible data cards can be found at http://www.o2.net/~gromitkc/winmodem.html.

When the author wrote this article, he spent some time testing various data cards. Linux supports plug-and-play devices, so I bought a non-jumping data card from Amjet and found another confusing problem.

The PC used for the test was an old 486, using the 1994 version of the AMI BIOS. After plugging in the plug-and-play data card, the computer will not boot, and the screen appears as "Primary hard disk failure". Upon inspection, it was found that the plug-and-play BIOS actually allocated the No. 15 interrupt that should have been reserved to the hard disk controller and assigned it to the data card. Finally, the author gave up the use of plug-and-play products on older computers, because it is not worth spending time on these things. Therefore, please pay attention to see if you have adjusted the jump feet of COM1 to COM4 before purchasing the data card.

On the author's bulletin board (http://trevormarshall.com/BYTE/), I saw several friends asking if I could use multiple dial-up lines to improve the Internet speed. The best example here is the 128K ISDN, which uses two 56K channels simultaneously to achieve 128K speed. When an ISP provides such a service, it actually configures two separate lines to connect to the same IP.
You can see that although there are modules such as EQL on Linux, you can use two data cards on the computer at the same time, but unless the ISP provides the same IP to the two sets of dial-up connections, the two data cards It is only helpful for sending out the information.

If you dial a normal ISP PPP line, you will get an IP address, and the packets sent back from the server will find you in millions of computers; every time you dial in to the ISP When you get a different IP address. The packet sent by your browser also contains the local IP address for the server data to return. EQL can distribute these outgoing packets to different ISP lines, but when the data is returned, it can only be received through an IP address, which is the address that the browser thinks is being used. If ISDN is used, the ISP will handle this problem; some ISPs will provide corresponding IP addresses for dial-up access to multiple sets of lines, but the price is very expensive.

When pursuing speed, please don't ignore the efficiency of the Linux firewall. In the author's office, six users use the "IP camouflage" firewall to access a 56K analog modem. The working condition is very good, and the speed will only slow down when someone downloads a large file. Before you decide to install more than one ISP dial-up line, you can try to set up an "IP camouflage" server. Windows's approach to handling multiple IPs is not very efficient, and separating the Windows network from the modem will surprise you with increased performance.

In short, the "IP camouflage" method used by Linux is to hide your IP and not let others on the network see it.