ºìñÆóÒµ Linux 4: °²È«Ö¸ÄÏ
ºóÍËÇ°½ø

µÚ 7Õ . ·À»ðǽ

ÐÅÏ¢°²È«Í¨³£±»µ±×÷Ò»ÖÖ²»¶Ï¸Ä½øµÄ¹ý³Ì¶ø²»ÊÇÒ»³É²»±äµÄ²úÆ·¡£È»¶ø£¬±ê×¼µÄ°²È«ÊµÏÖͨ³£»áʹÓÃijÖÖרÓûúÖÆÀ´¿ØÖÆ´æȡȨÏÞ£»°Ñ¶ÔÍøÂç×ÊÔ´µÄʹÓÃÏÞÖÆÔÚÊÚȨµÄ¡¢¿Éʶ±ðÉí·ÝµÄ¡¢ºÍ¿É×·×ÙµÄÓû§·¶Î§ÄÚ¡£ºìñÆóÒµ Linux °üÀ¨Á˺ü¸ÖÖÇ¿´óµÄ¹¤¾ßÀ´Ð­Öú¹ÜÀíÔ±ºÍ°²È«¹¤³ÌʦÃǽâ¾öÍøÂ缶±ðµÄ´æÈ¡¿ØÖÆÎÊÌâ¡£

³ýÁË IPsec£¨µÚ6Õ ÖÐËùÌÖÂÛ£©Ö®ÀàµÄ VPN ½â¾ö·½°¸Í⣬·À»ðǽÊÇÍøÂç±£°²ÏµÍ³µÄÒ»¸öÖØÒª×é³É²¿·Ö¡£ºÃ¼¸¼ÒÍƹã·À»ðǽ·½°¸µÄ³§É̶¼ÌṩÁËÂú×ã¸÷¼¶Êг¡ÐèÇóµÄ²úÆ·£º´Ó±£»¤Ò»Ì¨µçÄԵļÒÍ¥Óû§µÄÐèÇ󣬵½±£ÎÀÖØÒªÆóÒµÐÅÏ¢µÄÊý¾ÝÖÐÐÄ·½°¸¡£·À»ðǽ¿ÉÒÔÊǵ¥¶ÀµÄÓ²¼þ½â¾ö·½°¸£¬Èç Cisco¡¢Nokia¡¢ºÍ Sonicwall µÄ·À»ðǽÉ豸¡£Checkpoint¡¢McAfee¡¢ÒÔ¼° Symantec µÈ³§ÉÌ»¹¿ª·¢Á˼ÒÓúÍÉÌÓõÄרÓÐÈí¼þ·À»ðǽ½â¾ö·½°¸¡£

³ýÁËÓ²¼þ·À»ðǽºÍÈí¼þ·À»ðǽ¼äµÄÇø±ðÍ⣬¸÷¸ö·À»ðǽÔÚ¹¦ÄÜÓÃ;·½ÃæÒ²ÓÐËùÇø±ð¡£±í 7-1ÏêϸÃèÊöÁËÈýÖÖ³£¼ûµÄ·À»ðǽ£¬ÒÔ¼°ËüÃǵÄÔËÐз½Ê½£º

·½·¨ÃèÊöÓÅÔ½ÐÔ²»ÀûÒòËØ
NATÍøÂçµØַת»»£¨Network Address Translation£¬NAT£©°ÑÄÚ²¿ÍøÂçµÄ IP ×ÓÍø·ÅÖÃÔÚÒ»¸ö»òÒ»×éÍⲿ IP µØÖ·Ö®ºó£¬°ÑËùÓеÄÇëÇó¶¼Î±×°³ÉÀ´×ÔÒ»¸öµØÖ·¶ø²»ÊǶà¸ö²»Í¬µØÖ·¡£

· ¿ÉÒÔÔÚ LAN »úÆ÷Éϱ»Í¸Ã÷ÅäÖÃ
· ±£»¤ÔÚÒ»¸ö»ò¶à¸öÍⲿ IP µØÖ·Ö®ºóµÄÐí¶à»úÆ÷£¬¼ò»¯¹ÜÀíÈÎÎñ
· Óû§µ½ LAN µÄ³öÈë¿ÉÒÔͨ¹ý´ò¿ªºÍ¹Ø±Õ NAT ·À»ðǽ/Íø¹ØÉϵĶ˿ÚÀ´ÏÞÖÆ

· Ò»µ©Óû§´Ó·À»ðǽÍâÁ¬½ÓÁË·þÎñ£¬ÔòÎÞ·¨·ÀÖ¹ÆäÐîÒâ»î¶¯

·Ö×é¹ýÂËÆ÷·Ö×é¹ýÂË·À»ðǽ¶Áȡÿ¸ö½ø³ö LAN µÄÊý¾Ý·Ö×é¡£Ëü¿ÉÒÔ¸ù¾ÝÍ·ÐÅÏ¢À´¶ÁÈ¡ºÍ´¦Àí·Ö×飬²¢¸ù¾Ý±»·À»ðǽ¹ÜÀíԱʵʩµÄ¿É±àÅŵĹæÔòÀ´¹ýÂË·Ö×é¡£Linux ÄÚºËͨ¹ý Netfilter ÄÚºË×ÓϵͳÄÚ½¨ÁË·Ö×é¹ýÂ˹¦ÄÜ¡£

· ¿ÉÒÔͨ¹ý iptables Õâ¸öÇ°¶Ë¹¤¾ß¶ø±»¶¨ÖÆ
· ²»ÐèÒªÈκοͻ§·½ÃæµÄ¶¨ÖÆ£¬ÒòΪËùÓеÄÍøÂç»î¶¯¶¼ÔÚ·ÓÉÆ÷¼¶±ð¶ø²»ÊÇÓ¦ÓóÌÐò¼¶±ð±»¹ýÂË
· ÓÉÓÚ·Ö×éûÓÐͨ¹ý´úÀíÀ´´«Ê䣬¿Í»§ºÍÔ¶³ÌÖ÷»ú¼äÊÇÖ±½ÓÁ¬½Ó£¬Òò´ËÍøÂç´«ÊäËٶȱȽϿì

· ÎÞ·¨Ïñ´úÀí·À»ðǽһÑù¸ù¾ÝÄÚÈݹýÂË·Ö×é
· ÔÚЭÒé²ã´¦Àí·Ö×飬µ«ÊÇÎÞ·¨ÔÚÓ¦ÓóÌÐò²ã´¦Àí·Ö×é
· ¸´ÔÓµÄÍøÂçÌåϵ¿ÉÄÜ»áʹ½¨Á¢·Ö×é¹ýÂ˹æÔò·½Ãæ±È½ÏÀ§ÄÑ£¬ÌرðÊÇÔÚºÍ IP αװ£¨IP masquerading£©»ò±¾µØ×ÓÍø¼° DMZ ÍøÂçÒ»ÆðʹÓÃʱ

´úÀí´úÀí·À»ðǽ¹ýÂËËùÓÐ´Ó LAN ¿Í»§µ½´úÀí»úÆ÷µÄijÖÖÌض¨Ð­Òé»òÀàÐ͵ÄÇëÇó£¬È»ºó£¬ËüÔÙ´ú±íÕâ¸ö±¾µØ¿Í»§Ïò»¥ÁªÍø·¢ËÍÕâЩÇëÇó¡£´úÀí»úÆ÷±»ÓÃÀ´³äµ±Æóͼ²»Á¼µÄÔ¶³ÌÓû§ºÍÄÚ²¿ÍøÂç¿Í»§»úÆ÷Ö®¼äµÄÒ»¸ö»º³å¡£

· ʹ¹ÜÀíÔ±ÓµÓÐ¶Ô LAN Ö®ÍâµÄÓ¦ÓóÌÐòºÍЭÒ鹦ÄܵĿØÖÆȨ
· ijЩ´úÀí·þÎñÆ÷¿ÉÒÔ»º´æÊý¾Ý£¬Òò´Ëµ±¿Í»§´æȡƵ·±ÇëÇóµÄÊý¾Ýʱ£¬ÕâЩÊý¾Ý¾Í¿ÉÒÔ´Ó±¾µØ»º´æµ÷³ö¶ø²»±ØʹÓû¥ÁªÍøÁ¬½Ó£¬ÕâÓÐÖúÓÚ¼õÉÙ²»±ØÒªµÄ´ø¿íÓÃÁ¿
· ´úÀí·þÎñ¿ÉÒÔ±»ÃÜÇеؼàÊӺͼǼ£¬´Ó¶øÔÊÐíÄãÔÚÍøÂç×ÊÔ´ÓÃÁ¿·½ÃæÓиüÑϸñµÄ¿ØÖÆ

· ´úÀíͨ³£ÊÇÓ¦ÓóÌÐòÌØÓеģ¨HTTP¡¢Telnet µÈ£©»òÔÚЭÒé·½ÃæÓÐÏÞÖƵģ¨¶àÊý´úÀíÖ»ÄÜÓÃÓÚ TCP Á¬½ÓµÄ·þÎñ£©
· Ó¦ÓóÌÐò·þÎñÎÞ·¨ÔÚ´úÀíºóÃæÔËÐУ¬Òò´ËÄãµÄÓ¦ÓóÌÐò·þÎñÆ÷±ØÐëʹÓÃÁíÒ»ÖÖÍøÂç±£°²´ëÊ©
· ´úÀí¿ÉÄÜ»á³ÉΪÍøÂçµÄÆ¿¾±£¬ÒòΪËùÓеÄÇëÇóºÍ´«Ê䶼Ҫ¾­¹ýÒ»¸öÖнé¶ø²»ÊÇÈÿͻ§Ö±½ÓÁ¬½ÓÔ¶³Ì·þÎñ

±í 7-1. ·À»ðǽÀàÐÍ

7.1. Netfilter ºÍ iptables

Linux ÄÚºËÖÐÓÐÒ»¸ö¹¦ÄÜÇ¿´óµÄÁªÍø×Óϵͳ Netfilter¡£Netfilter ×ÓϵͳÌṩÁËÓÐ״̬µÄ»òÎÞ״̬µÄ·Ö×é¹ýÂË£¬»¹ÌṩÁË NAT ºÍ IP αװ·þÎñ¡£Netfilter »¹¾ß±¸Îª¸ß¼¶Ñ¡Â·ºÍÁ¬½Ó״̬¹ÜÀí¶ø±äÐΣ¨mangle£©IP Í·ÐÅÏ¢µÄÄÜÁ¦¡£Netfilter ÊÇͨ¹ý IPTables ¹¤¾ßÀ´¿ØÖƵġ£

7.1.1. iptables ×ÜÀÀ

Netfilter µÄÇ¿´ó¹¦ÄܺÍÁé»îÐÔÊÇͨ¹ý iptables ½çÃæÀ´ÊµÏֵġ£Õâ¸öÃüÁîÐй¤¾ßºÍËüµÄÇ°Éí ipchains µÄÓï·¨ºÜÏàËÆ£»²»¹ý£¬iptables ʹÓà Netfilter ×ÓϵͳÀ´Ôö½øÍøÂçÁ¬½Ó¡¢¼ìÑé¡¢ºÍ´¦Àí·½ÃæµÄÄÜÁ¦£»ipchains ʹÓôí×Û¸´ÔӵĹæÔò¼¯ºÏÀ´¹ýÂËÔ´µØºÍÄ¿µÄµØ·ÏßÒÔ¼°Á½ÕßµÄÁ¬½Ó¶Ë¿Ú¡£iptables Ö»ÔÚÒ»¸öÃüÁîÐнçÃæÖоͰüÀ¨Á˸üÏȽøµÄ¼Ç¼·½Ê½£»Ñ¡Â·Ç°ºÍѡ·ºóµÄÐж¯£»ÍøÂçµØַת»»£»ÒÔ¼°¶Ë¿Úת·¢¡£

±¾½ÚÌṩ¶Ô iptables µÄ×ÜÀÀ¡£¹ØÓÚ iptables µÄÏêϸÐÅÏ¢£¬Çë²ÎÔÄ¡¶ºìñÆóÒµ Linux ²Î¿¼Ö¸ÄÏ¡·¡£

ºóÍËÆðµãÇ°½ø
IPsec ÍøÂçµ½ÍøÂçÅäÖÃÉϼ¶Ê¹Óà iptables