2007/01/29

centos 4.4 搭建动态网站加防火墙和NAT转发

安装ADSL拨号软件rp-ppp
在DVD安装光盘里面就有。
将光盘放进光驱。
mount /media/cdrom
cd /media/cdrom/CentOS/RPMS/
rpm -ivh rp-ppp-*.rpm

这时我们进行配置ADSL拨号。
[root@bbs RPMS]# adsl-setup

Welcome to the ADSL client setup. First, I will run some checks on
your system to make sure the PPPoE client is installed properly...


LOGIN NAME

Enter your Login Name (default root): 用户名

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth0

Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no): no

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: 输入你当地的DNS地址,重庆电信为61.128.128.68
Please enter the IP address of your ISP's secondary DNS server.
If you just press enter, I will assume there is only one DNS server.
Enter the secondary DNS server address here: 输入你当地的第二DNS地址,重庆电信为61.128.192.68

PASSWORD

Please enter your Password:输入密码
Please re-enter your Password:重复输入密码

USERCTRL

Please enter 'yes' (two letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes):

FIREWALLING

Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): 选择一个防火墙类型,我们要做网关,所以选择2

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes

** Summary of what you entered **

Ethernet Interface: eth0
User name: 用户名
Activate-on-demand: No
Primary DNS: 61.128.128.68
Secondary DNS: 61.128.192.68
Firewalling: MASQUERADE
User Control: yes
Accept these settings and adjust configuration files (y/n)? y
Adjusting /etc/sysconfig/network-scripts/ifcfg-ppp0
Adjusting /etc/resolv.conf
(But first backing it up to /etc/resolv.conf.bak)
Adjusting /etc/ppp/chap-secrets and /etc/ppp/pap-secrets
(But first backing it up to /etc/ppp/chap-secrets.bak)
(But first backing it up to /etc/ppp/pap-secrets.bak)



Congratulations, it should be all set up!

Type '/sbin/ifup ppp0' to bring up your xDSL link and '/sbin/ifdown ppp0'
to bring it down.
Type '/sbin/adsl-status /etc/sysconfig/network-scripts/ifcfg-ppp0'
to see the link status.
配置到这里,ADSL开机自动拨号就算完成了。

然后执行
#adsl-start
开始连接。

查看连接成功与否。
# ifconfig
如果出现ppp0,并出现IP地址就算成功了。

然后我们配置网关,让局域网内的机器都能利用这台机器上网。
假设我们有几台机器,通过交换机连接在一起,我们安装服务器的这台机器上有一张网卡。这样我们也可以用一张网卡和一个交换机实现局域网共享internet连接。而不一定要两张网卡。

vi /etc/sysconfig/network
修改如下:
NETWORKING=yes
HOSTNAME=admin.cnprint.org
GATEWAY=

保存。
vi /etc/sysconfig/network-scripts/ifcfg-eth0
修改如下:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.9.120
NETMASK=255.255.255.0
GATEWAY=192.168.9.120

vi /etc/hosts
127.0.0.1 localhost
192.168.1.1 linux001
192.168.1.2 linux002
.......(略)......
192.168.1.100 linux100
.......(略)......
192.168.1.254 linux254


保存。
因为要用本机作为局域网的网关,所以我们设定网关和IP地址相同。

另外,如果要架站,需要注意一个地方:就是连接超时自动断开。解决方法是
vi /etc/sysconfig/network-scripts/ifcfg-ppp0
把PPPOE-TIMEOUT=后面的数字改成0,把CONECT-TIMEOUT=后面的数字也改成0。这样你上网就稳定了。
然后cp /etc/sysconfig/network-scripts/ifcfg-ppp0 /etc/ppp/pppoe.conf
这样你可以用adsl-connect &来连接你的adsl。
在断线时它会自动重拨。还有,如果你需要过程启动服务器话,别忘了把ppoe.conf和 /etc/sysconfig/network-scripts/ifcfg-ppp0中的onboot=no设为onboot=yes,不然你一重启,你的服务器别人和自己就都访问不了了。^-^

编辑防火墙:
vi /usr/local/sbin/fw.sh

将以下脚本命令粘贴到 fw.sh 文件中


#!/bin/bash

# 請先輸入您的相關參數,不要輸入錯誤了!
EXTIF="ppp0" # 這個是可以連上 Public IP 的網路介面
INIF="eth0" # 內部 LAN 的連接介面;若無請填 ""
INNET="192.168.9.0/24" # 內部 LAN 的網域,若沒有內部 LAN 請設定為 ""
export EXTIF INIF INNET

# 第一部份,針對本機的防火牆設定!###########################
# 1. 先設定好核心的網路功能:
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $i
done

# 2. 清除規則、設定預設政策及開放 lo 與相關的設定值
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT

# 3. 啟動額外的防火牆 script 模組
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

# 4. 允許某些類型的 ICMP 封包進入
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done

# 5. 允許某些服務的進入,請依照您自己的環境開啟
# iptables -A INPUT -p TCP -i $EXTIF --dport 22 -j ACCEPT # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport 25 -j ACCEPT # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --sport 53 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --sport 53 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443 -j ACCEPT # HTTPS

# 第二部份,針對後端主機的防火牆設定!##############################
# 1. 先載入一些有用的模組
modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
testmod=`lsmod | grep "${mod} "`
if [ "$testmod" == "" ]; then
modprobe $mod
fi
done

# 2. 清除 NAT table 的規則吧!
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# 3. 開放成為路由器,且為 IP 分享器!
if [ "$INIF" != "" ]; then
/sbin/iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE
fi

# 如果你的 MSN 一直無法連線,或者是某些網站 OK 某些網站不 OK,
# 可能是 MTU 的問題,那你可以將底下這一行給他取消註解來啟動 MTU 限制範圍
# iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
# --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu

# 4. 內部伺服器的設定:
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
# -j DNAT --to 192.168.1.210:80

# Deny All Other Connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


保存。这个文本是直接参考鸟哥的教学资料而来的。鸟哥的教学文章写得真好。

# chmod 755 /usr/local/sbin/fw.sh
# echo '/usr/local/sbin/fw.sh' >> /etc/rc.local
# /usr/local/sbin/fw.sh

# ifdown eth0
# ifup eth0
# route

将会出现下面的提示:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.17.1.1 * 255.255.255.255 UH 0 0 0 ppp0
192.168.9.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 172.17.1.1 0.0.0.0 UG 0 0 0 ppp0

如果这样就说明我们成功了。

然后在局域网内设置其他机器的
IP地址为:192.168.9.***
子网掩码为:255.255.255.0
网关为:192.168.9.120
DNS地址为你的提供ADSL服务的电信商的DNS。

局域网内的机器就能通过这台机器上网了,同时这台机器还向外界提供WEB服务。

安装3322动态IP更新。
申请一个3322的动态域名帐号:
# yum install lynx

lynx -mime_header -auth=username:userpassword "http://www.3322.org/dyndns/update?system=dyndns&hostname=yourdomain"


# vi /etc/ppp/dyndns.sh

写入:/lynx -mime_header -auth=username:userpassword "http://www.3322.org/dyndns/update?system=dyndns&hostname=yourdomain"


#chmod 777 /etc/ppp/dyndns.sh


然后在你的固定域名的mydns设置里面,将你所申请的3322的动态域名设置为固定域名的别名。

用了一段时间的adsl作为动态网站的接入方式后,我们会发现,有时ADSL掉线了,但是拨号程序并没有真正重拨,导致ADSL僵死在那里,当然你的网站就没有戏了。呵呵。

这时怎么办呢。我们可以写一个脚本自动检测连接状态。

vi /etc/ppp/pppoe.sh

ping -c5 www.163.com >; /dev/null 2>;&1
if [ "$?" != "0" ]; then
/usr/bin/killall -9 pppoe
fi

保存。这时在进程里杀掉了pppoe后,因为我们在前面设置了断线立即连接的,所以程序会自动重新拨号,获取新连接。

# crontab -e
*/2 * * * * root /etc/ppp/pppoe.sh
*/3 * * * * root /etc/ppp/dyndns.sh

该行指定每2分钟运行一次/etc/ppp/pppoe.sh,检查是否吊线,如掉线就重拨。
每3分钟运行一次更新动态IP。

没有评论: