系统安装 centos 3.5 adsl nat代理上网实验笔记（学习之贴）

myjob

下载 CentOS-3.4-i386-Server.iso 刻录成光盘 找一双网卡机器，全部包安装
安装完成后ntsysv停掉一些不必要的服务
配置网络
------第一张网卡----------
Ip address:192.168.1.254
netmask:255.255.255.0
Net device:eth0
------第二张网卡----------
Ip address:192.168.254.254
Netmask:255.255.255.0
Net device:eth1

1  安装adsl
#adsl-setup


[root@LinuxSir02 root]# adsl-setup

Welcome to the ADSL client setup. First, I will run some checks on
your system to make sure the PPPoE client is installed properly...


LOGIN NAME

Enter your Login Name (default root): ADSL提供商给的用户名，写在这里

INTERFACE

Enter the Ethernet interface connected to the ADSL modem
For Solaris, this is likely to be something like /dev/hme0.
For Linux, it will be ethX, where 'X' is a number.
(default eth0): eth1这是ADSL通过第一台机器的网卡eth1提供上网


Do you want the link to come up on demand, or stay up continuously?
If you want it to come up on demand, enter the idle time in seconds
after which the link should be dropped. If you want the link to
stay up permanently, enter 'no' (two letters, lower-case.)
NOTE: Demand-activated links do not interact well with dynamic IP
addresses. You may have some problems with demand-activated links.
Enter the demand value (default no):在这里按一下回车就行了。

DNS

Please enter the IP address of your ISP's primary DNS server.
If your ISP claims that 'the server will provide dynamic DNS addresses',
enter 'server' (all lower-case) here.
If you just press enter, I will assume you know what you are
doing and not modify your DNS setup.
Enter the DNS information here: 202.101.172.35这是DNS，最好用你本地电信给的杭州电信的主dnsPlease enter the IP address of your ISP's secondary DNS server.
If you just press enter, I will assume there is only one DNS server.
Enter the secondary DNS server address here: 202.96.104.18这是第二个DNS，也是电信给的。
PASSWORD

Please enter your Password:在这里把ADSL提供商给的密码写上
Please re-enter your Password:

USERCTRL

Please enter 'yes' (two letters, lower-case.) if you want to allow
normal user to start or stop DSL connection (default yes): yes

FIREWALLING

Please choose the firewall rules to use. Note that these rules are
very basic. You are strongly encouraged to use a more sophisticated
firewall setup; however, these will provide basic security. If you
are running any servers on your machine, you must choose 'NONE' and
set up firewalling yourself. Otherwise, the firewall rules will deny
access to all standard servers like Web, e-mail, ftp, etc. If you
are using SSH, the rules will block outgoing SSH connections which
allocate a privileged source port.

The firewall choices are:
0 - NONE: This script will not set any firewall rules. You are responsible
for ensuring the security of your machine. You are STRONGLY
recommended to use some kind of firewall rules.
1 - STANDALONE: Appropriate for a basic stand-alone web-surfing workstation
2 - MASQUERADE: Appropriate for a machine acting as an Internet gateway
for a LAN
Choose a type of firewall (0-2): 2

Start this connection at boot time

Do you want to start this connection at boot time?
Please enter no or yes (default no):yes

** Summary of what you entered **

Ethernet Interface: eth0
User name: ADSL用户名
Activate-on-demand: No
Primary DNS: 202.101.172.35
Secondary DNS: 202.96.104.18
Firewalling: MASQUERADE
User Control: yes
Accept these settings and adjust configuration files (y/n)?y



相关命令
用adsl-start拨号
adsl-stop下线
adsl-status 查看状态!

adsl-start

2 升级centos
rpm -import http://mirror.centos.org/centos/3.4/os/i386/RPM-GPG-KEY-CentOS-3

yum  -y update

升级更新至3.5

重启

配置放dhcp服务器

vi /etc/dhcp.conf

1. ddns-update-style interim;
   
2. ignore client-updates;
   
3. 
   
4. subnet 192.168.1.0 netmask 255.255.255.0 {
   
5. 
   
6. # --- default gateway
   
7.         option routers                  192.168.1.254;
   
8.         option subnet-mask              255.255.255.0;
   
9. 
   
10. #       option nis-domain               "domain.org";
    
11. #       option domain-name              "domain.org";
    
12.         option domain-name-servers      202.101.172.35,202.96.104.18,192.168.1.254;
    
13. 
    
14.         option time-offset              -18000; # Eastern Standard Time
    
15. #       option ntp-servers              192.168.1.1;
    
16. #       option netbios-name-servers     192.168.1.1;
    
17. # --- Selects point-to-point node (default is hybrid). Don't change this unless
    
18. # -- you understand Netbios very well
    
19. #       option netbios-node-type 2;
    
20. 
    
21.         range dynamic-bootp 192.168.1.100 192.168.1.200;
    
22.         default-lease-time 864000;
    
23.         max-lease-time 2592000;
    
24. 
    
25.         # we want the nameserver to appear at a fixed address
    
26.         #host ns {
    
27.         #       next-server marvin.redhat.com;
    
28.         #       hardware ethernet 12:34:56:78:AB:CD;
    
29.         #       fixed-address 207.175.42.254;
    
30.         #}
    
31. }
    
32. subnet 192.168.1.0 netmask 255.255.255.0 {
    
33. }

复制代码

vi /etc/sysconfig/dhcpd

# Command line options here
DHCPDARGS="eth0"

dhcp服务绑定eth0.

services dhcpd start

3:建立简易防火墙，

vi /root/iptables.rule

1. #!/bin/bash
   
2. # The interface that connect Internet
   
3.   WAN_ETH="ppp0"
   
4. # the inside interface. if you don't have this one
   
5. # and you must let this be black ex>; LAN_ETH=""
   
6.   LAN_ETH="eth0"
   
7.   LAN_NET="192.168.1.0/24"      # This is for NAT's network
   
8. 
   
9. echo 1 >; /proc/sys/net/ipv4/ip_forward
   
10. 
    
11. # 1.0
    
12.   kver=`uname -r | cut -c 1-3`
    
13.   if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ]; then
    
14.         echo "Your Linux Kernel Version may not be suported by this script!"
    
15.         echo "This scripts will not be runing"
    
16.         exit
    
17.   fi
    
18.   ipchains=`lsmod | grep ipchains`
    
19.   if [ "$ipchains" != "" ]; then
    
20.         echo "unload ipchains in your system"
    
21.         rmmod ipchains 2>; /dev/null
    
22.   fi
    
23. 
    
24. # 2.0
    
25.   PATH=/sbin:/bin:/usr/sbin:/usr/bin
    
26.   export PATH WAN_ETH LAN_ETH LAN_NET
    
27.   modprobe ip_tables            #>; /dev/null 2>;&1
    
28.   modprobe iptable_nat          #>; /dev/null 2>;&1
    
29.   modprobe ip_nat_ftp           #>; /dev/null 2>;&1
    
30.   modprobe ip_nat_irc           #>; /dev/null 2>;&1
    
31.   modprobe ip_conntrack         #>; /dev/null 2>;&1
    
32.   modprobe ip_conntrack_ftp     #>; /dev/null 2>;&1
    
33.   modprobe ip_conntrack_irc     #>; /dev/null 2>;&1
    
34. 
    
35. 
    
36. # 3.0
    
37.   /sbin/iptables -F
    
38.   /sbin/iptables -X
    
39.   /sbin/iptables -Z
    
40.   /sbin/iptables -F -t nat
    
41.   /sbin/iptables -X -t nat
    
42.   /sbin/iptables -Z -t nat
    
43.   /sbin/iptables -P INPUT   DROP
    
44.   /sbin/iptables -P OUTPUT  ACCEPT
    
45.   /sbin/iptables -P FORWARD ACCEPT
    
46.   /sbin/iptables -t nat -P PREROUTING  ACCEPT
    
47.   /sbin/iptables -t nat -P POSTROUTING ACCEPT
    
48.   /sbin/iptables -t nat -P OUTPUT      ACCEPT
    
49. 
    
50. # 4.0
    
51.   /sbin/iptables -A INPUT -i lo   -j ACCEPT
    
52.   if [ "$LAN_ETH" != "" ]; then
    
53.         /sbin/iptables -A INPUT -i $LAN_ETH -j ACCEPT
    
54.         echo "1" >; /proc/sys/net/ipv4/ip_forward
    
55.         /sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN_ETH -j MASQUERADE
    
56.   fi
    
57. 
    
58. # 5.0
    
59.   if [ -f /usr/local/virus/iptables/iptables.deny ]; then
    
60.         sh /usr/local/virus/iptables/iptables.deny
    
61.   fi
    
62.   if [ -f /usr/local/virus/iptables/iptables.allow ]; then
    
63.         sh /usr/local/virus/iptables/iptables.allow
    
64.   fi
    
65. 
    
66. # 6.0
    
67.   if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
    
68.         sh /usr/local/virus/httpd-err/iptables.http
    
69.   fi
    
70. 
    
71. # 7.0 allow ICMP
    
72.   /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
73.   AICMP="0 3 3/4 4 11 12 14 16 18"
    
74.   for tyicmp in $AICMP
    
75.   do
    
76.         /sbin/iptables -A INPUT -i $WAN_ETH -p icmp --icmp-type $tyicmp -j ACCEPT
    
77.   done
    
78. 
    
79. # 8.0 Allow services
    
80. #  /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport  22 -j ACCEPT     # SSH
    
81. #  /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport  25 -j ACCEPT     # SMTP
    
82. #  /sbin/iptables -A INPUT -p UDP -i $WAN_ETH --dport  53 -j ACCEPT     # DNS
    
83. #  /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport  53 -j ACCEPT     # DNS
    
84. #  /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport  80 -j ACCEPT     # WWW
    
85. #  /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 110 -j ACCEPT     # POP3
    
86. #  /sbin/iptables -A INPUT -p TCP -i $WAN_ETH --dport 113 -j ACCEPT     # auth
    
87. 
    
88. # 9.0 Allow NAT for intranet Servers
    
89. iptables -t nat -A PREROUTING -i $WAN_ETH -p tcp --dport http -j DNAT --to 192.168.1.148:80
    
90. iptables -t nat -A PREROUTING -i $WAN_ETH -p tcp --dport 8080 -j DNAT --to 192.168.1.1:80
    
91. iptables -t nat -A PREROUTING -p tcp -m tcp -i $WAN_ETH --dport ftp -j DNAT --to 192.168.1.1
    
92. iptables -t nat -A PREROUTING -p tcp -m tcp -i $WAN_ETH --dport ftp-data -j DNAT --to 192.168.1.1
    
93. iptables -t nat -A PREROUTING -p tcp -m tcp -i $WAN_ETH --dport 2121 -j DNAT --to 192.168.1.148:2121
    
94. 
    
95. # 10  Hardening the TCP/IP stack to SYN attacks
    
96. echo "1" >; /proc/sys/net/ipv4/tcp_syncookies
    
97. iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
    
98. iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
    
99. 
    
100. #  11  Allow NAT for intranet BT Emule
     
101. #iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4000 -j DNAT --to 192.168.1.112:4000
     
102. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6881 -j DNAT --to 192.168.1.193:6881
     
103. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 4662 -j DNAT --to 192.168.1.193:4662
     
104. iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 4672 -j DNAT --to 192.168.1.193:4672
     
105. iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 16881 -j DNAT --to 192.168.1.189:16881

复制代码

cd /root
chmod 700 iptables.rule

vi /etc/rc.d/rc.local

添加如下二行使之启动世执行

# add iptables firewall
/root/iptables.rule



mkdir /root/3322

cd /root/3322

wget http://www.3322.org/dyndnspage/ez-ipupdate-3.0.10-linux-i386.tgz

tar zxvf ez-ipupdate-3.0.10-linux-i386.tgz

mv ez-ipupdate-3.0.10-linux-i386/* .

vi qdns.conf

1. service-type=qdns
   
2. user=flypc:password //用户名及密码，用冒号隔开
   
3. host=flypc.3322.org //你申请的域名
   
4. interface=ppp0 //接口为ppp0
   
5. max-interval=2073600
   
6. cache-file=/tmp/ez-ipupdate.cache

复制代码

ez-ipupdate -c qdns.conf

成功

vi monitorip

1. #!/bin/bash
   
2. ###filename:monitorip.sh
   
3. if [ -f /root/3322/ip.txt ]
   
4. then
   
5. echo "12" >;/dev/null
   
6. else
   
7. ifconfig|grep P-t-P >; /root/3322/ip.txt
   
8. fi
   
9. org_ip=`cat /root/3322/ip.txt|cut -d: -f 2|cut -d ' ' -f 1`
   
10. now_ip=`ifconfig|grep P-t-P|cut -d: -f 2|cut -d ' ' -f 1`
    
11. if [ $org_ip = $now_ip ]  
    
12. then
    
13. echo "donot need update ip\n" >;/dev/null  
    
14. else
    
15. ifconfig|grep P-t-P >; /root/3322/ip.txt
    
16. /root/3322/ez-ipupdate -c /root/3322/qdns.conf
    
17. fi

复制代码

chmod 700 monitorip
vi /etc/crontab

添加一行

*/5 * * * * root /root/3322/monitorip

每五分钟执行一次

service crond restart

重启cron服务


动态域名绑定完成～

ccino

辛苦了。虽然我用redhat as4