Firewall can be divided into several different levels of security. In Linux, because there are many different firewall software available, security can be low to high, the most complex software provides virtually impenetrable protection. However, Linux kernel itself, a built-called "disguised" a simple mechanism, but the most dedicated hacker attacks, can withstand most attacks.
When we connected on dial-up Internet, our computer will be assigned an IP address that allows Internet data to other people return to our computer. Hackers is to use IP to access your data on your computer. Linux used "IP masquerading" method, is to hide your IP, not allow others to see on the network. There are several group IP address is reserved for special use of the local network, Internet backbone router does not recognize. Computer's IP as the author is 192.168.1.127, but if you enter this address into your browser, I believe that nothing can not receive, because it is not recognizable Internet backbone IP-192.168.XX this group. Intranet there are countless other computer is using the same IP, because you can not access, of course, can not be penetrated or cracked.
So, to solve security problems on the Internet, appears to be a simple matter, as long as the computer you choose one that others can not access the IP address, that's all resolved Le. Wrong! When you browse the Internet, because the same server will also need to pass the information back to you, otherwise you could not see anything on the screen, while the server only the data back to the Internet backbone in the legitimate IP address on the registration.
"IP masquerading" is used to resolve this dilemma of technology. When you have a computer to install Linux, set to use "IP masquerading", it will be internal and external bridging the two networks, and automatic interpretation from the inside out or outside in the IP address Usually this action is called network address translation.
In fact the "IP masquerading" more complex than some of the above. Basically, "IP masquerading" server set up between the two networks. If you use analog dial-up modem to access the Internet on the information, and this is one of the network; your internal network typically corresponds to an Ethernet card, this is the second network. If you are using a DSL modem or cable modem (Cable Modem), then the system will be the second Ethernet card, instead of the analog modem.
And Linux can manage IP addresses for each network, so if you have a computer to install Windows (IP is 192.168.1.25), in a second network (Ethernet eth1), then, to access in the Internet (Ethernet eth0 ) on the cable modem (207.176.253.15) when, Linux's "IP masquerading" will be blocked from your browser, all issued by TCP / IP packet, out of the original local address (192.168.1.25), then to the real address (207.176.253.15) instead. Then, when the server returns data to 207.176.253.15 time, Linux will automatically return to intercept packets and fill back to the correct local address (192.168.1.25).
Linux can manage several local computer, and processing each packet, without confusion. There is an installation SlackWare Linux on an old 486 computer, the computer can be simultaneously sent to cable modem from the four packets, and the speed is not reduced.
In the second version of the core before, "IP masquerading" is sending IP management module (IPFWADM, IP fw adm) to manage. Although the core of the second edition provides a faster and more complex IPCHAINS, but still provides a IPFWADM wrapper to maintain backward compatibility, therefore, the author will in this article IPFWADM, for example, to explain how to set up "IP masquerading "(You can use the IPCHAINS to http://metalab.unc.edu/mdw/HOWTO/IPCHAINS-HOWTO.html query method, the page and a" IP masquerading "more detailed explanation).
In addition, certain applications such as RealAudio and CU-SeeME used non-standard packets, you need a special module, you can also get information from the website.
On the server has two Ethernet cards, the core activation process were set in the eth0 and eth1. This two cards are SN2000-free then it is the ISA adapter card, and recognize that the vast majority of Linux are two cards. On the Ethernet network initialization steps rc.inet1 set, instructions are as follows:
IPADDR = "207.175.253.15"
# Replace your cable modem's IP address.
NETMASK = "255.255.255.0"
# Replace your network shield.
NETWORK = "207.175.253.0"
# Replace your network address.
BROADCAST = "207.175.253.255"
# Replaced with your broadcast address.
GATEWAY = "207.175.253.254"
# Replaced by your gateway address.
# Use the above macro to set up your cable modem, Ethernet card
/ Sbin / ifconfig eth0 $ (IPADDR) broadcast $ (BROADCAST) netmask $ (NETMASK)
# Set the IP routing table
/ Sbin / route add-net $ (NETWORK) netmask $ (NETMASK) eth0
# Set the intranet Ethernet card eth1, do not use macros
/ Sbin / ifconfig eth1 192.168.1.254 broadcast 192.168.1.255 netmask 255.255.255.0
/ Sbin / route add-net 192.168.1.0 netmask 255.255.255.0 eth1
# Then set the IP fw adm initialization
/ Sbin / ipfwadm-F-p deny # refused access to # the following locations to open outside of the transfer demand from 192.168.1.X
/ Sbin / ipfwadm-F-am-S 192.168.1.0/24-D 0.0.0.0 / 0
/ Sbin / ipfwadm-M-s 600 30 120
Is it! Your system's "IP masquerading" should now be working properly. If you want more detailed information, refer to the above mentioned HOWTO, or to http://albali.aquanet.com.br/howtos/Bridge+Firewall-4.html reference MINI HOWTO. Also on the more secure firewall technology, information can be found in ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/Firewall-HOWTO.
The past six months, 56K analog data card prices suddenly fell down a lot. However, most of the new data card is removed the control board with a microprocessor, so the system will create additional load on the main CPU, while Linux does not support these "WinModem" card. While the core Linux expert who has the ability to write drivers for the WinModem card, but they also understand that in order to save 10 per U.S. dollar while the impact on system performance, is not wise.
Make sure you are using the Modem card, there is then it is used to set COM1, COM2, COM3 and COM4, this way, the data card before they can work under Linux. You can http://www.o2.net/ ~ gromitkc / winmodem.html find Linux-compatible data card with a complete list.
When the author wrote this article, he had spent time testing a variety of different data cards. Linux support for Plug and Play device, so I bought a piece of non-hopping by the Amjet production data card, it also found another disturbing problem.
On the testing of the PC is a old 486, using the 1994 version of the AMI BIOS. Plug in plug and play piece of data in the card, the computer will not boot up, the screen appears as "the primary hard drive failure" (Primary hard disk failure). The inspection found that the original plug and play BIOS actually should be reserved for hard disk controller 15 interrupts, rations of the data card. Finally gave up on the old computer to use plug and play products, since these things are not worth the time. Therefore, please note that the data card to purchase before you see if there is to adjust the hopping COM1 to COM4.
In the author's bulletin board (http://trevormarshall.com/BYTE/) on, to see some friends ask if you can use multiple dial-up lines to improve the Internet connection speed. The best example here is a 128K ISDN, it is also the use of two 56K channels to achieve the speed of 128K. When the ISP to provide such services, in fact, will configure two separate lines connected to the same IP.
You can see that, although there EQL Linux such module that allows you to simultaneously use two computer data card, but unless the ISP providing dial-up connection on the same two groups of IP, otherwise the data card has only two just send the information helpful.
If you have dial-up ISP PPP is the general line, then you will get a IP address, the packets from the server to return several millions of computers to find you; and dial your ISP each time will get a different IP addresses.
Your browser sent packets, also contains information for the server's local IP address of return. EQL can be those rumored packet, distributed to a different ISP lines, but when the return data, but only through an IP address to receive, that is, the browser that you are using that address. If using ISDN, then the ISP will address this issue; a number of ISP for multiple lines, dial-up access to provide the corresponding IP address, but the price is very expensive.
In the pursuit of speed, do not ignore the Linux firewall efficiency. Six of the user in the office through the "IP masquerading" firewall, to access a 56K analog modem, work very well, only when someone is downloading large files will slow down the speed. When you decide to install a number of ISP dial-up line, ahead of setting up an "IP masquerading" server to try. Windows way of dealing with multiple IP is not very efficient, but will separate the Windows network and modem, the performance improvement will allow you surprised.
In short, Linux is used "IP masquerading" method is to hide your IP, not allow others to see on the network.