LINUX network security literature I don't what experts according to their own by using LINUX for everyone to write a bit of my personal experiences for everyone to look at the information only to maintain network security the easiest solution is to ensure the network host does not contact, nor is the public, the easiest way is to never put your own network to connect to a public network, such as the INTERNET. this through isolation of the security policy in many cases is not acceptable.
Use the private IP address is a simple and feasible methods-can prevent hacker access to the user's personal computer. RFC1918 provides can be used for local TCP/IP network using IP address-the IP address will not be the router IP address because they would not be routed on the Internet, and therefore do not need to register through the allocation of IP address range, you can effectively use the network traffic is now within the local network-this is a way to deny external access to your computer and allow the internal flow of data between computers with fast and efficient method for all of the Internet as the official standard RFC (REQUESTFORCOMMENT) to distribute your private IP cannot be routed on the Internet, using a private IP address of the system cannot access the Internet but through the establishment of an IP masquerading server (a single LINUX server) can solve this problem when the packet away from your computer, it contains it's own IP address as the source address, the data have been LINUX server sends to the outside world is shot State is not a conversion which simultaneously record. Server source address for packets sent to the LNTERNET where the destination IP address when the packet is sent to the Internet, he can reach a destination address for the response. This setting has a problem, because the packet's source IP address of the server, instead of the server, the user's computer after the IP address so that a response from an external computer will be sent to the server. Accordingly, the power of a full packet transmission, LINUX server must search to a table, in order to determine what the packet and then tell the confirmation computer. source address set to the private user of private addresses of a user's computer and sent to the computer. it is clear from a private IP address of the computer's packet now being transmitted over the Internet. Accordingly, it is also a sincere IP masquerading as a network address translation. By default, the Linux kernel is set inside an IP masquerading functionality. However, if you have already removed from the kernel, a function, or use a built-in IP masquerading functionality of the kernel, you need to recompile the kernel, and then sets the packet filtering rule in order to allow the conversion, in order to make IP masquerading to work, you need to open a server's IP transformation services-we can/etc/sysconfig/network file FORWARD_IPV4 is set to YES and the open IP conversion. To the internal network to connect to the outside world, you need an IP masquerading server has two network interfaces-one excuse terms connected to the internal network, but a pretext used to add a server to connect to the external world for example:/learn in/ifconfig.ethlinet211.123.1.1netmask255.255.255.0 will your computer IP address is 192.168.1.2 to 192.168.1.254 to cultivate, and all users of the computer's network settings 192.168.1.1 netmask is 255.255.255.0 that all computers can communicate with each other,/learn in/ipchains-Aforward-jMASQ192.168.1.0/24-d0.0.0.0/0/learn in/ipchains-pforwardDENY first command on the destination address is not the 192.168.1.0 network IP datagram open IP Masquerade feature services. He would convert it originally came from the 192.168.1.0 network through IP packets for loading, and was sent to another network interface of the network of the chain, the default router-the second will be the default forward policy is set to reject all non-internal network packets can be said of people order at/etc/rc.d/rc.localzai boot server, will be able to start the IP-like functionality. As a result of the haste to write a bit messy and may not all hope we see hanging out. China E Ann Union xiaoxiang note published
No comments:
Post a Comment