| With the rapid develppment of information technology based on Internet, the application of information network techniques is extended more and more. Following popularization of Internet, the data security problems transmitting in Internet bring a hot challenge in the research field.The firewall is inserted between the premises network and the Internet to establish a controlled link and to erect an outer security wall or perimeter. The aim of this perimeter is to protect the premises network from Internet-based attacks and to provide a single choke point where security and audit can be imposed.This thesis discusses the netfilter mechanism of Linux 2.4 kernel, and analyzes how to design and realize the firewall based on netfilter technology, and also describes network address translation in Linux. Developed by kylix3.0, a netfilter-based firewall is realized and tested.This firewall system includes five modules: filter manage, record route, application proxy, scan defense and log record. The iptables principle in netfilter is applied in the filter manage module, and network address translation is realized in it. Through revising IP option in the kernel and recompiling the kernel to support the route record, the route record module is implemented. The module application proxy includes HTTP proxy and a general proxy. The former is realized by SQUID, and the later is implemented by a proxy process. The scan defense module can avoid attacks of scanning by a demo process. The log record module is used to log Internet usage and select the way of recording, local or email.Common network attacks such as IP spoofing, source route spoofing, ICMP redirect deception and IP Hijack are analyzed and protected by filter manage module.. IP Hijack protection is implemented through injecting a hook function into protocol stack in detail. In order to enhance the steady of the firewall, the kernel is recompiled and updated to the newest steady one, and the dangerous and unused services are closed at the same time.
|
PDF Full Text Request