摘要
提出基于Linux平台用数据包过滤与透明代理相结合防网络攻击的解决方案,对其中的关键技术进行了探讨,提出了一种完整的技术路线。给出一个三级防御模型,在网络层通过数据包过滤模块对IP欺骗进行过滤,在电路网关一级内网主机与外网主机通过透明连接,在应用网关级一级控制和监测外网提供的服务。包过滤模块通过Linux内核的Netfilter模块实现,电路级网关模块通过透明代理实现,应用级网关模块通过面向对象、事件驱动和模块化的代理应用程序实现,通过脚本语言易于制定代理策略,全面分析复杂的协议。
A solution scheme to protect the network attack based on the packet filter and transparent proxies on linux operation system is proposed. Though the research of the key technique, a complete technology method was provided, which presented a three grade pro- tection system: firstly filtering the IP spoof data packet through data packet filter mode in the network level, secondly the connection between intranet host and internet host implemented by the transparent connection in the circuit gateway level, finally control and test the service provided by the internet in the application gateway level. The packet filter model was implemented by netfilter a model of linux kennel, the circuit gateway model was implemented by transparent proxy and the application gateway model was realized by an object-oriented, event-driven and modular proxy, which made it possible to fine tune proxy decisions with its built in script language, to fully analyze complex protocols.
出处
《计算机工程与设计》
CSCD
北大核心
2005年第5期1290-1293,共4页
Computer Engineering and Design
