Linux As An Ipv4/Ipv6 Dual Stack Firewall Design And Application Based On Campus Network

As appeared increasingly dried up disadvantages of IPv4 addresses, IPv6 popularized faster and faster.Our school’s move comes at a time when the opportunity of the new campus network.In order to achieve the public IPv4 access and education network connections, the implementation of network upgrade project.Design a provide IPv4 and IPv6 network safe protection under the network security firewall solutions have been put on the agenda.This article to support both IPv4 / IPv6 double stack protocol firewall as the research subject, research is mainly focused on the hybrid routing, under the double stack iptables under IPv4 and IPv6 ip6 tables, and firewall performance superior, the main research content is divided into five parts.First introduced simply to IPv6, discusses several IPv4 to IPv6 transition technology, discusses the dual stack, tunnel technology and transformation mechanism that several kinds of commonly used transitional technology.Support for campus network upgrading scheme design is made of double stack of firewall.Then discuss to solve the double stack under the condition of hybrid routing problem.To realize hybrid routing functions in the firewall are analyzed and designed, using the policy routing technology, to achieve a balanced load after laid the technical foundation, leave some upgrade space.Quagga software firewall installed at the same time, with the expanding of network size, and topology structure becomes more complex, this through the use of open source Quagga software to implement IPv6 routing functions.At the same time left a allowance for future technology upgrading.Then, from the perspective of the network layer and transport layer, on the basis of the agreement principle, the structure of the packet header, deal itself, validation, flow from four aspects, analyze the implementation method of the attack.Although IPv6 solved the problem of the IPv4 address space, and the improvement that deal itself, can eliminate some attacks on validation and flow, but in the network layer model is similar, it means that the attack can be partly used IPv4 train of thought, and expand, so IPv6 security situation is not optimistic.Paper respectively under the IPv4 and IPv6, the firewall iptables and ip6 tables design and write the script, and the strategy of complete TCP and UDP test respectively.In each module function normal firewall test finished, began to test the machine into the campus network function.And firewall to optimize work, with OpenSWAN as the platform to join the IPsec function at the same time.In firewall tuning work, implements the stateful UDP, ICMP, TCP and FTP session;Stateful translation between IPv4 and IPv6 packet inspection;Deal with EH, routing, jump, options, and section head;Port to the application mappings(PAM), allows network administrators to customize the use of TCP and UDP port.This feature allows them to implement access control based on content, even in a wider range of port.