Linux防火牆技術的研究與實現
摘要:隨着以Internet爲代表的全球資訊化浪潮的來臨,資訊網絡技術的應用正日益廣泛和深入,而伴隨網絡的普及,公共通信網絡傳輸中的數據安全問題也成爲目前研究的熱點。
防火牆是實施網絡安全策略的重要組成部分,是用在安全私有網絡和外部不可信任網絡之間安全連接的'1個設備或1組設備,作爲私有網絡和外部網絡之間連接的單點存在。防火牆作爲內部網絡安全的屏障,其主要目標是保護內部網絡資源,執行網絡基本安全策略,防止內部資訊泄漏和外部入侵,提供對網絡資源的訪問控制,發現安全隱患,爲安全策略的完善提供幫助,監督各類通信行爲。
本文對Linux 2. 4內核防火牆NetFilter的原理進行了深入研究,分析了在NetFilter架構下防火牆的設計與實現,敘述了Linux的動態地址轉換,論述了在Linux下防火牆的設計和開發過程。以GNU爲開發工具,作者基於NetFilter架構開發了1款包過濾的個人防火牆,並對其做了測試。
關鍵詞:網絡安全;防火牆;Linux;方案設計;NetFilter;包過濾
Research and Realization of Firewall Based on Linux
Abstract:With the rapid develppment of information technology based on Internet; theapplication of information network techniques is extended more and owing popularization of Internet, the data security problems transmitting inInternet bring a hot challenge in the research field.
The firewall is inserted between the premises network and the Internet toestablish a controlled link and to erect an outer security wall or perimeter. The aimof this perimeter is to protect the premises network from Internet based attacks andto provide a single choke point where security and audit can be imposed.
This thesis discusses the netfilter mechanism of Linux 2.4 kernel, and analyzes how to design and realize the firewall based on netfilter technology, and also describes network address translation in Linux. Developed by GNU, a netfilter based firewall is realized and tested.
Keywords: Network Security; Firewall; Linux; Scheme Designing; NetFilter; Packet Filter
