We first install Gateway system, we have three network cards on the Internet: the first network card for eth0, the IP address for the public network address 212.1.1.1.
A second NIC to eth1, IP address 192.168.1.1. Here we use a redhat Linux release of CentOS. When the installation is complete, the system comes with a complete set of iptables firewall system. First we set up a firewall, and gives it the execution permissions. # Touch/etc/rc.d/firewall # chmodu + x/etc/rc.d/firewall first, in order to enable the client to normal Internet access, we'll write this file: #!/bin/s echo1 >/proc/sys/net/ipv4/ip_forward needs first before using the iptables rules to clear the iptables-iptables-tnat-iptables-Xiptables-tnat-Xiptables-F-tmangleiptables-tmangle – X in order to effectively prevent SpoofingAttack, can continue to add the following statement if [-e/proc/sys/net/ipv4/tcp_ecn] tenecho0 >/proc/sys/net/ipv4/tcp_ecni next, we want to prefabricated iptables three built-in chain iptables-POUTPUTACCEPTiptables-PFORWARDACCEPTiptables-AINPUT-ilo-jACCEPTiptables-AINPUT-ieth0-jACCEPTPORT = "80, 21,110, 23" iptables-AINPUT-ptcp-mmultiport--dports $ PORT-mstate--stateNEW-jACCEPTiptables-AINPUT-mstate--stateESTABLISHED, RELATED-jACCEPTiptables-AINPUT-jMIRRORiptables-PINPUTDROP preliminary preparatory work has been done, we are going to network management function of the corresponding rules. # Disable 192.168.1.1/24 host within the section prohibits the use of a p2p protocol software, refers to the BT download class. Iptables-AFORWARD-miprange--src-range192.168.1.1-192.168.1.254-mipp2p--ipp2p-jDROP # shielding access specified website iptables-AFORWARD-mdomain--name www.test.com-jDROP # prohibition time use QQiptables-AFORWARD-mlayer7--l7protoqq-mtime--timestart8: 00--timestop12: 00--daysMon, Tue, Wed, Thu, Fri-jDROPiptables-AFORWARD-mlayer7--l7protoqq-mtime--timestart13: 00--timestop17: 30--daysMon, Tue, Wed, Thu, Fri-jDROP special instructions about using this module, you can layer7 ban on the market, most of the IM tool. # Found a client computer in the LAN to cause trouble, you can use the following rule iptables-IFORWARD-mmac--mac-source00: 11 FF: FF: FF: FF-jDROP where 00: 11: FF: FF: FF: FF is the client's MAC address. # Within the intranet WEB server mapped to the public network iptables-tnat-APREROUTING-ptcp – d212.1.1.1--dport80-jDNAT--to192.168.1.10: 80 in accordance with the method described above, we can easily put the mail, FTP and other Internet services map to the public network Moreover we cooperate with TC, to achieve each client's speed tcqdiscdeldeveth0root2 >/dev/nulltcqdiscadddeveth0roothandle2: tbtcclassadddeveth0parent2: classid2: 1htbrate1024kbiti = 1; while [$ i-lt254] dotcclassadddeveth0parent2: 1classid2: 2 $ 2 $ ihandle2 ihtbrate1024kbitceil1024kbitburst15ktcqdiscadddeveth0parent2: $ i:sqtcfilteradddeveth0parent2: 0protocolipprio4u32matchipdst192.168.1. $ 2 $ iflowid2: ii = expr $ I + would 1 would done from the above script, if clients faster than the 1024kbit, to lower the speed 15kbit. In order to prevent the LAN IP address piracy problem, we can edit/etc/etheRs files to this format IP-addrMAC-addr write up executed after arp-f this is the case, if the IP address and MAC address do not match, the client will not be able to surf the Internet, so you can effectively prevent ARP viruses. As such, a single relatively secure server has been set to complete. Of course, security is a whole, and not to turn over any detail, because it has the potential to be a security risk.
No comments:
Post a Comment