CN111262833B - Network security processing method, terminal and storage medium - Google Patents
Network security processing method, terminal and storage medium Download PDFInfo
- Publication number
- CN111262833B CN111262833B CN202010019054.8A CN202010019054A CN111262833B CN 111262833 B CN111262833 B CN 111262833B CN 202010019054 A CN202010019054 A CN 202010019054A CN 111262833 B CN111262833 B CN 111262833B
- Authority
- CN
- China
- Prior art keywords
- network
- management
- port
- management application
- network port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security processing method, a terminal and a storage medium, wherein the network security processing method comprises the following steps: clearing all configurations in the management application, and generating a configuration table according to the network protocol and the corresponding network port; setting the authority of the network port to allow the network port to pass through, and judging whether the management application is bound with the specified MAC management equipment; when the management application is not bound with a specified MAC management device, the authority of the management port in the management application is set to be allowed to pass through. The invention simplifies the protocol of the newly added port and solves the problem of occupying ACL resources through a modularized management mode.
Description
Technical Field
The present invention relates to the field of terminal applications, and in particular, to a network security processing method, a terminal, and a storage medium.
Background
The existing network security processing modes mainly include two modes, one mode is a management mode of binding an access control list, and the other mode is management through an iptables management system.
An Access Control List (ACL) is a packet filtering access control technique that can filter packets on an interface according to a set condition, allow the packets to pass or discard the packets; the access control list is widely applied to routers and three-layer switches, and the access of users to the network can be effectively controlled by means of the access control list, so that the network security is guaranteed to the greatest extent; when a specific MAC user accesses, the management can be realized by binding the ACL rule of the MAC through the port, but the security management mode occupies ACL resources and simultaneously carries with other ACL rules of the user to be managed respectively, which brings many troubles.
The iptables is an IP information packet filtering system based on Linux kernel integration, and the packet filtering system can control IP information and configure a firewall on a Linux system; if the Linux system is connected to the internet or a server or proxy server, the system facilitates better control of IP packet filtering and firewall configuration on the Linux system.
When a firewall makes a data packet filtering decision, a set of specific rules are stored in a special data packet filtering table, and the data packet filtering table is integrated in a kernel of Linux; in the packet filter table, rules are grouped in various chains (chain); the iptables IP data packet filtering system can be used for adding, editing and removing rules, enables operations such as information insertion, modification and deletion to be easy, can be directly operated in a user space, is different from ACL, does not occupy configuration resources, and has the problem that related protocols of a plurality of software modules are not easy to manage.
Accordingly, the prior art is yet to be improved and developed.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a network security processing method, a terminal and a storage medium, which simplify the protocol of the newly added port and solve the problem of occupying ACL resources by a modular management manner, aiming at the defects of the prior art.
The technical scheme adopted by the invention for solving the technical problem is as follows:
in a first aspect, the present invention provides a network security processing method, where the network security processing method includes the following steps:
clearing all configurations in the management application, and generating a configuration table according to the network protocol and the corresponding network port;
setting the authority of the network port to allow the network port to pass through, and judging whether the management application is bound with the specified MAC management equipment;
when the management application is not bound with a specified MAC management device, the authority of the management port in the management application is set to be allowed to pass through.
Further, the clearing all configurations in the management application and generating the configuration table according to the network protocol and the corresponding network port further include:
and starting the management application and carrying out initialization processing on the management application.
Further, clearing all configurations in the management application and generating a configuration table according to the network protocol and the corresponding network port specifically includes the following steps:
inquiring and deleting the existing configuration in the management application through a preset instruction;
and configuring a corresponding network port according to the ntp protocol or the rip protocol, and generating a configuration table according to the network port.
Further, the configuring a corresponding network port according to the ntp protocol or the rip protocol, and generating a configuration table according to the network port, then further includes:
and setting the priority level of each network port in the configuration table.
Further, the setting of the permission of the network port to allow and the determining of whether the management application is bound to the specified MAC management device specifically include the following steps:
setting the authority of the network port to be allowed to pass through, and allowing the data packet in the network port to pass through according to the authority of the network port;
and acquiring input configuration information, and judging whether the management application is bound with the specified MAC management equipment according to the configuration information.
Further, when the management application is not bound to a specified MAC management device, the setting of permission to pass through a management port in the management application specifically includes the following steps:
when the management application is not bound with the specified MAC management equipment, acquiring protocol information of a management port in the management application;
setting the authority of a management port in the management application to be allowed to pass through according to the protocol information;
allowing the data packet in the management port to pass through according to the authority of the management port;
intercepting the data packet in the network port without the set authority, and making a response of prohibiting transmission for the network port without the set authority.
Further, the acquiring the input configuration information and determining whether the management application is bound to the specified MAC management device according to the configuration information further includes:
and when the management application is bound with the appointed MAC management equipment, intercepting the message sent by the non-appointed MAC management equipment.
Further, the configuration table is a table containing the network port information and a network protocol.
In a second aspect, the present invention provides a terminal, including: a processor and a memory coupled to the processor;
the memory stores a network security handler that when executed by the processor is configured to implement the network security processing method according to the first aspect.
In a third aspect, the present invention provides a storage medium, wherein the storage medium stores a network security processing program, and the network security processing program is used for implementing the network security processing method according to the first aspect when being executed by a processor.
The invention adopts the technical scheme and has the following effects:
the invention manages the appointed MAC based on the iptables, so that the appointed MAC does not occupy the resources of the ACL, and the program is convenient and simple to realize; moreover, through a modularized management mode, the network security management software is more stable and reliable, the operation mode of the network port of the newly added protocol is simpler and more convenient, and the authority management of the newly added network interface is facilitated.
Drawings
FIG. 1 is a flow chart of a network security processing method according to a preferred embodiment of the present invention.
Fig. 2 is a functional diagram of a terminal according to a preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer and clearer, the present invention is further described in detail below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Example one
As shown in fig. 1, in an implementation manner of the embodiment of the present invention, the network security processing method includes the following steps:
step S100, all configurations in the management application are cleared, and a configuration table is generated according to the network protocol and the corresponding network port.
In this embodiment, the network security processing method is applied to a terminal and implemented by an iptables firewall; the iptables firewall is a network security tool based on the Linux system, and simply speaking, the iptables firewall can be configured to effectively manage the security of the Linux system.
Specifically, the present embodiment needs to install an iptables in the terminal, that is, install the management application, so as to manage the data packets in each network port through the iptables; for example, the packet passing authority of the network port is set to allow the packet in the network port to pass through, or refuse the packet in the network port to pass through, so as to manage the network security of the terminal.
In the embodiment, the iptables comprises an built-in table, wherein the built-in table consists of built-in chains, and the built-in chains consist of rules; the iptables can perform custom setting, adding, modifying, deleting and other operations on the rule; when a user starts the iptables, the terminal performs initialization processing on each management module in the iptables, wherein the initialization processing is to restore data in each management module to default data, for example, an internal table in the iptables is set as a default table Filter; by carrying out initialization processing on the iptables, the user setting of the iptables is recovered to default setting, and therefore subsequent use is facilitated.
Namely, before the step 100, the following steps are also included:
and 001, starting the management application and initializing the management application.
Specifically, in this embodiment, after the iptables is initialized, the existing configuration in the iptables needs to be deleted, for example, the existing customized rule is deleted; that is, all rules need to be cleared before the iptables is configured; whether the existing rule exists or not can be checked through the iptables-list instruction or the iptables-save instruction, and after the existing rule is found, the found existing rule is cleared through the iptables-flush instruction.
It should be noted that, after clearing up the existing rule, it is also necessary to detect whether the rule in the NET table has been deleted, and if there is a rule in the NET table, the rule in the NET table is further deleted to prevent the rule in the NET table from being automatically deleted.
Further, after all the rules are cleared, a required rule may be configured in the iptables, where the rule configured in this embodiment is to configure the passing permission of each network port, specifically: allowing the data packet of the network port to pass through or forbidding the data packet of the network port to pass through; in order to facilitate control of the data packets of each network port, in this embodiment, an independent management module is further arranged in the iptables, and each network port is uniformly managed by using a single module to generate a new rule, so that the authority of each network port is set.
Further, when configuring each network port, configuring the corresponding network port according to an ntp protocol or a rip protocol, and generating a configuration table according to the network port, wherein the configuration table is a table containing the network port information and the network protocol corresponding to the network port information; it can be understood that the configuration table is a mapping relation table of the network ports and the network protocols; the configuration table can be used for inquiring the information of each network port, and the priority information of each network port is set.
Namely, in the step 100, the method specifically includes the following steps:
step 110, inquiring and deleting the existing configuration in the management application through a preset instruction;
and step 120, configuring a corresponding network port according to the ntp protocol or the rip protocol, and generating a configuration table according to the network port.
Step 130, setting the priority level of each network port in the configuration table.
The embodiment avoids the rule configured in the iptables from being influenced by the existing rule by deleting the existing rule; moreover, each network port is configured according to the network protocol, and a corresponding configuration table is generated, so that operations such as rule query, rule addition, rule modification, rule deletion and the like can be performed according to the configuration table during management.
As shown in fig. 1, in an implementation manner of the embodiment of the present invention, the network security processing method further includes the following steps:
step S200, the authority of the network port is set to allow through, and whether the management application is bound with the specified MAC management device or not is judged.
In this embodiment, after generating the corresponding configuration table, the authority of each network port may be set, that is, the authority of the network port is set to allow; then, allowing the data packet in the network port to pass through according to the authority of the network port; after configuring each network port, further judging whether a specific MAC device is set in the iptables or not, and carrying out corresponding configuration operation according to the judgment result.
Specifically, when setting the authority of each network port, the authority can be set in an independent configuration module created by the iptables; creating a plurality of self-defined rules in the independent configuration module, and defining which network port data packet can pass through and which network port data packet is forbidden through the rules; wherein, among the rules, a corresponding rule parameter is set, and the rule parameter includes: a packet protocol, a source address, a destination address, a network interface allowed to pass through, packet processing operations, and the like; the data packets are controlled to pass or be forbidden through the rules, so that the aim of network security management is fulfilled.
Specifically, after configuring each network port, it is further determined whether to bind with a specific MAC management device, that is, by acquiring configuration information set by a user in an independent configuration module, if the user has bound the specific MAC management device in the iptables, address information of the MAC management device is acquired, and the authority of the MAC management device is configured according to the address information.
Namely, in the step 200, the method specifically includes the following steps:
step 210, setting the authority of the network port to allow the data packet to pass through, and allowing the data packet in the network port to pass through according to the authority of the network port;
step 220, obtaining the input configuration information, and judging whether the management application is bound with the specified MAC management device according to the configuration information.
The invention realizes the control of the data packet in each network port by setting the authority of each network port, thereby ensuring the safety of the data packet of each network port; and by judging whether the specific MAC management device is bound or not, the authority configuration of the specific MAC management device is realized.
As shown in fig. 1, in an implementation manner of the embodiment of the present invention, the network security processing method includes the following steps:
step S300, when the management application is not bound with the specified MAC management device, the authority of the management port in the management application is set to be allowed to pass through.
In this embodiment, when it is determined that the iptables is not bound to the specified MAC management device, protocol information of each management port in the iptables is acquired; then configuring the authority of each management port according to the protocol information of each management port; and when detecting the data packet of each management port, controlling the data packet of each management port through the authority, namely allowing the data packet of the management port to pass through or forbidding the data packet of the management port to pass through.
Specifically, in this embodiment, the management port is configured to manage each network port, where one management port manages a plurality of network ports correspondingly; after the data packet of the network port passes through the network port, the data packet can further go to each management port; therefore, after setting the authority of each network port, it is necessary to further set the authority of each management port, and each packet can reach the destination address only after passing through each management port.
When the iptables is not bound with the specified MAC management equipment, further configuring the authority of each management port; when configuring the authority of each management port, corresponding rules also need to be set, and the rules are implemented based on the network ports below the management port, that is, the rules for managing the ports are set based on the rules for the network ports.
For example, after configuring the authority of each network port (protocol port), if a specified MAC management device is not configured, the authority of a management port such as an http/https protocol port, a snmp protocol port, or a telnet protocol port is set to allow passage.
After the authority of each management port is configured, the data packets in each management port are managed, that is, the data packets in the management ports are allowed to pass through according to the authority of the management ports, the data packets in the network ports without the authority are intercepted, and a response for prohibiting transmission is given to the unused network ports.
Namely, in the step 300, the method specifically includes the following steps:
step 310, when the management application is not bound with a specified MAC management device, acquiring protocol information of a management port in the management application;
step 320, setting the authority of the management port in the management application to be allowed to pass through according to the protocol information;
step 330, allowing the data packet in the management port to pass through according to the authority of the management port;
step 340, intercepting the data packet in the network port without the set authority, and making a response of prohibiting transmission to the network port without the set authority.
In this embodiment, when the iptables is bound with the specified MAC management device, the port authority of the non-matching MAC is set to prohibit the passing, that is, a data packet sent by the MAC which is not matched with the http/https protocol port, the snmp protocol port, the telnet protocol port, and the like is prohibited, so that a message sent by the non-specified MAC management device can be intercepted; after disabling non-matching MACs, the ports that are not registered need to be processed and unreachable responses returned to these ports.
Namely, in step 300, the method further comprises the following steps:
step 350, when the management application is bound with the specified MAC management device, intercepting the message sent by the non-specified MAC management device.
The embodiment manages the specified MAC based on the iptables, so that the MAC does not occupy the resources of the ACL, and meanwhile, the program is convenient and simple to realize; and intercepting the message sent by the non-designated MAC so that the non-designated MAC cannot send data, thereby ensuring the network security of the terminal.
Example two
The present embodiment provides a terminal, including: a processor 10 and a memory 20 connected to the processor 10;
the memory 20 stores a network security processing program, which is used to implement the network security processing method according to the first embodiment when the processor 10 executes the network security processing program; as described above.
EXAMPLE III
The present embodiment provides a storage medium, wherein the storage medium stores a network security processing program, and the network security processing program is used for implementing the network security processing method according to the first embodiment when executed by a processor; as described above.
In conclusion, the invention manages the specified MAC based on the iptables, so that the MAC does not occupy the resources of the ACL, and the program is convenient and simple to realize; moreover, through a modularized management mode, the network security processing software is more stable and reliable, the operation mode of the network port of the newly added protocol is simpler and more convenient, and the authority management of the newly added network interface is facilitated.
Of course, it will be understood by those skilled in the art that all or part of the processes of the methods of the above embodiments may be implemented by a computer program instructing relevant hardware (such as a processor, a controller, etc.), and the program may be stored in a computer readable storage medium, and when executed, the program may include the processes of the above method embodiments. The storage medium may be a memory, a magnetic disk, an optical disk, etc.
It will be understood that the invention is not limited to the examples described above, but that modifications and variations will occur to those skilled in the art in light of the above teachings, and that all such modifications and variations are considered to be within the scope of the invention as defined by the appended claims.
Claims (8)
1. A network security processing method is characterized by comprising the following steps:
clearing all configurations in the management application, and generating a configuration table according to a network protocol and a corresponding network port;
setting the authority of the network port to allow the network port to pass through, and judging whether the management application is bound with the specified MAC management equipment;
when the management application is not bound with a specified MAC management device, setting the authority of a management port in the management application to be allowed to pass through;
the setting of the permission of the network port as permission and the judgment of whether the management application is bound with the specified MAC management device specifically comprise the following steps:
setting the authority of the network port to be allowed to pass through, and allowing the data packet in the network port to pass through according to the authority of the network port;
acquiring input configuration information, and judging whether the management application is bound with a specified MAC management device according to the configuration information;
when the management application is not bound to the specified MAC management device, the method specifically includes the following steps of:
when the management application is not bound with the specified MAC management equipment, acquiring protocol information of a management port in the management application;
setting the authority of a management port in the management application to be allowed to pass through according to the protocol information;
allowing the data packet in the management port to pass through according to the authority of the management port;
intercepting the data packet in the network port without the set authority, and making a response of prohibiting transmission for the network port without the set authority.
2. The method according to claim 1, wherein clearing all configurations in the management application and generating a configuration table according to the network protocol and the corresponding network port further comprises:
and starting the management application and carrying out initialization processing on the management application.
3. The network security processing method according to claim 1, wherein the clearing of all configurations in the management application and the generation of the configuration table according to the network protocol and the corresponding network port specifically comprise the steps of:
inquiring and deleting the existing configuration in the management application through a preset instruction;
and configuring a corresponding network port according to the ntp protocol or the rip protocol, and generating a configuration table according to the network port.
4. The network security processing method according to claim 3, wherein the configuring the corresponding network port according to the ntp protocol or the rip protocol and generating the configuration table according to the network port further comprises:
and setting the priority level of each network port in the configuration table.
5. The network security processing method of claim 1, wherein the obtaining the input configuration information and determining whether the management application is bound to the specified MAC management device according to the configuration information further comprises:
and when the management application is bound with the appointed MAC management equipment, intercepting a message sent by the non-appointed MAC management equipment.
6. The network security processing method of claim 1, wherein the configuration table is a table containing the network port information and a network protocol.
7. A terminal, comprising: a processor and a memory coupled to the processor;
the memory stores a network security handler that when executed by the processor is configured to implement the network security processing method of any of claims 1-6.
8. A storage medium storing a network security processing program, the network security processing program being configured to implement the network security processing method according to any one of claims 1 to 6 when executed by a processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010019054.8A CN111262833B (en) | 2020-01-08 | 2020-01-08 | Network security processing method, terminal and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010019054.8A CN111262833B (en) | 2020-01-08 | 2020-01-08 | Network security processing method, terminal and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111262833A CN111262833A (en) | 2020-06-09 |
CN111262833B true CN111262833B (en) | 2022-05-06 |
Family
ID=70951138
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010019054.8A Active CN111262833B (en) | 2020-01-08 | 2020-01-08 | Network security processing method, terminal and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111262833B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281185A (en) * | 2010-06-12 | 2011-12-14 | 王从胜 | Application layer flow control method based on tc and iptables 17-filter |
CN104394175A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Message access control method based on network marking |
CN105827615A (en) * | 2016-04-22 | 2016-08-03 | 浪潮电子信息产业股份有限公司 | Optimization method for preventing DDOS attack by Smart Rack |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8813210B2 (en) * | 2011-11-29 | 2014-08-19 | Samsung Electronics Co., Ltd. | Enhancing network controls in mandatory access control computing environments |
US9509574B2 (en) * | 2015-04-03 | 2016-11-29 | Illumio, Inc. | End-to-end policy enforcement in the presence of a traffic midpoint device |
-
2020
- 2020-01-08 CN CN202010019054.8A patent/CN111262833B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102281185A (en) * | 2010-06-12 | 2011-12-14 | 王从胜 | Application layer flow control method based on tc and iptables 17-filter |
CN104394175A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Message access control method based on network marking |
CN105827615A (en) * | 2016-04-22 | 2016-08-03 | 浪潮电子信息产业股份有限公司 | Optimization method for preventing DDOS attack by Smart Rack |
Also Published As
Publication number | Publication date |
---|---|
CN111262833A (en) | 2020-06-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11044232B2 (en) | Methods and apparatus to provide a distributed firewall in a network | |
EP1326393B1 (en) | Validation of the configuration of a Firewall | |
US10498765B2 (en) | Virtual infrastructure perimeter regulator | |
US6859827B2 (en) | Automatic device assignment through programmable device discovery for policy based network management | |
US8266685B2 (en) | Firewall installer | |
US7610621B2 (en) | System and method for behavior-based firewall modeling | |
US8081640B2 (en) | Network system, network management server, and access filter reconfiguration method | |
EP2582092A2 (en) | Network operating system for managing and securing networks | |
EP1657864A2 (en) | Communication traffic control rule generation methods and systems | |
JP2004364306A (en) | System for controlling client-server connection request | |
US11201781B2 (en) | Systems and methods for automatically configuring network isolation | |
CN108737217B (en) | Packet capturing method and device | |
US8914339B2 (en) | Device for managing data filters | |
CN111818077A (en) | Industrial control mixed honeypot system based on SDN technology | |
US11102172B2 (en) | Transfer apparatus | |
CN112751814B (en) | Information reporting method, data processing method and device | |
CN111262833B (en) | Network security processing method, terminal and storage medium | |
KR102184114B1 (en) | Method and apparatus for providing network security service | |
JP2007043483A (en) | Information processor, communication control method, and communication control program | |
JP7156310B2 (en) | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION CONTROL METHOD, AND PROGRAM | |
US10785115B2 (en) | Allocating enforcement of a segmentation policy between host and network devices | |
CN114978563B (en) | Method and device for blocking IP address | |
CN115514501B (en) | Method and device for blocking network attack | |
WO2024148851A1 (en) | Data stream processing method and device based on software defined network | |
CN117951684A (en) | Security protection method and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |