| Research & implement of the project "ckeckword filter firewall in Linux Operating System" is supported by the fund of electronic information industry development.The construct and implement of this system are based on the Netfilter firewall framework, which are the kernel version 2.4 of Linux Operation System. Using the modules which are hooked in the Netfilter framework, we can check the content of the packets go through the network card of the host PC. Firstly checking IP source and destination address of the packet, the filtered packet with illegal information will trigger corresponding functions in the security strategy module; these functions will do the action which is already designed by the user to deal with this situation. (They may drop this packet, or queue the packets to the user space.) At the same time, detail information about those packets we are interested in will also be recorded in the log files. Administrator can check the log files to get valuable information later.In the basic theory of thesis, there are ISO seven layer models, TCP/IP network models and the implement of TCP/IP in Linux to be introduced first. And then a presentation is given about some popular firewall model. Whereafter the Linux kernel programme and device driver are introduced. It is useful to understand the checkword filter firewall framework. After this, the scene is shown how the packets are received and sent by the network stack in Linux Operating System. At last, it is the introduction of the work flow and technology of Netfilter firewall framework in Linux.In the construct and implement of thesis, how to implement the checkword filter firewall is described in four parts. The first part is register module, it mainly focuses on the initialization work, including hook the functions on the Netfilter firewall framework and constructing the most important data structure in the firewall. The second part is named character device driver module, which is the gate between user space and kernel space. All the data transmission between user space and kernel space must go through it, it works as an interface. The third part is the core part of the firewall named security strategy module, every packet go through the network protocol stack will be checked by it. It will check whether the contents in the packet has illegal information, if do so, the packet will trigger some functions which dealing with packet contains illegal information; if do not, the packet will be delivered to its original destination. The fourth part is the log file module; of course, we can know what it does by its name. It logs the information we are interested in, and supplies them to the administrator. Last module is called daemon module, which does many things. For example, if you want to set up the rule of the firewall, you must invoke daemon module; if you want to get log information from kernel and store them as a file, you also need to call daemon module; the forbidden IP lists which are used in security strategy module is supplied by it (daemon module interacts with background). Among them, the total design thought, the design of LAN and the testing programme of the firewall are completed with classmate together by me, but the principal part of module programme is completed by myself.Finally, we proved that the initial goal is reached and a good performance is achieved by taking the system in some functionality tests. |
PDF Full Text Request